CVE-2026-43912 – Vaultwarden: Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization

CVE ID :CVE-2026-43912

Published : May 11, 2026, 11:20 p.m. | 2 hours, 37 minutes ago

Description :Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.collections_uuid entry belongs to the same organization as collections_groups.groups_uuid. Multiple organization group-management endpoints accept arbitrary MembershipId and CollectionId values and persist them directly without verifying org consistency. This lets an attacker who is Admin in Organization A, and only a low-privileged member in Organization B bind their Org B membership UUID into an Org A group, then use that foreign group relationship to gain unauthorized access to Org B vault data. With an accessAll=true Org A group, the attacker can make /api/sync and /api/ciphers enumerate Org B ciphers. Once those unauthorized sync results reveal Org B collection IDs, the attacker can also bind those foreign collection IDs to the Org A group and turn the same flaw into write access over Org B items. This vulnerability is fixed in 1.35.5.

Severity: 8.7 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-45362 – Sangoma Switchvox SIP Authentication Credential Exposure

CVE-2026-45321 – Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

CVE-2026-8349 – omec-project amf NGAP Message memory corruption

CVE-2026-8346 – D-Link DIR-816 portForward command injection