Incorrect Authorization Affecting vaultwarden package, versions <1.35.4
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Incorrect Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RUST-VAULTWARDEN-15440503
- published8 Mar 2026
- disclosed4 Mar 2026
- creditodgrso
Introduced: 4 Mar 2026
NewCVE-2026-27803 (opens in a new tab)How to fix?
Upgrade vaultwarden to version 1.35.4 or higher.
Overview
Affected versions of this package are vulnerable to Incorrect Authorization in the authorization process for management endpoints, where the manage privilege is not properly validated for users with the Manager role. An attacker can gain unauthorized control over collections, including modifying settings, escalating their own privileges, and deleting collections by sending crafted API requests to affected endpoints. This is only exploitable if the attacker is assigned the Manager role within the organization, has access to the target collection, and possesses a valid API access token.