CVE-2026-27802: Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager

March 4, 2026

A Manager account (access_all=false) was able to escalate privileges by directly invoking the bulk-access API against collections that were not originally assigned to them. The API allowed changing assigned=false to assigned=true, resulting in unauthorized access.

Additionally, prior to the bulk-access call, the regular single-update API correctly returned 401 Unauthorized for the same collection. After executing the bulk-access API, the same update API returned 200 OK, confirming an authorization gap at the HTTP level.

References

github.com/advisories/GHSA-r32r-j5jq-3w4m
github.com/dani-garcia/vaultwarden
github.com/dani-garcia/vaultwarden/security/advisories/GHSA-r32r-j5jq-3w4m
nvd.nist.gov/vuln/detail/CVE-2026-27802

Code Behaviors & Features

Detect and mitigate CVE-2026-27802 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →