CVE-2026-27898: Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher

March 4, 2026

In the test environment, it was confirmed that an authenticated regular user can specify another user’s cipher_id and call:

PUT /api/ciphers/{id}/partial

Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.).

References

github.com/advisories/GHSA-w9f8-m526-h7fh
github.com/dani-garcia/vaultwarden
github.com/dani-garcia/vaultwarden/security/advisories/GHSA-w9f8-m526-h7fh
nvd.nist.gov/vuln/detail/CVE-2026-27898

Code Behaviors & Features

Detect and mitigate CVE-2026-27898 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →