Vaultwarden CVE-2026-43912 Allows Org Data Access via Group Management Flaw

/HIGH /CVSS 8.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-285
Vaultwarden CVE-2026-43912 Allows Org Data Access via Group Management Flaw

The National Vulnerability Database has detailed CVE-2026-43912, a high-severity vulnerability (CVSS 8.7) in Vaultwarden, a Rust-based Bitwarden-compatible server. Prior to version 1.35.5, Vaultwarden failed to enforce proper organizational consistency within its group and collection management endpoints. This critical flaw allows an attacker with administrative privileges in one organization (Org A) and low-privileged membership in another (Org B) to bind Org B’s membership UUIDs into an Org A group.

This unauthorized binding grants the attacker illicit access to Org B’s vault data. Specifically, with an accessAll=true Org A group, the attacker can leverage /api/sync and /api/ciphers to enumerate Org B’s ciphers. Once these unauthorized sync results expose Org B’s collection IDs, the attacker can then bind these foreign collection IDs to the Org A group, escalating the vulnerability to enable write access over Org B’s items. The implications for data integrity and confidentiality across organizations are severe.

This vulnerability, categorized under CWE-285 (Improper Authorization), is fixed in Vaultwarden version 1.35.5. Organizations utilizing Vaultwarden instances must prioritize upgrading to the patched version immediately to prevent cross-organizational data compromise.

What This Means For You

  • If your organization uses Vaultwarden, this is a critical vulnerability that could allow an attacker with admin rights in one internal organization to fully compromise data in another. This isn't just a data leak; it's a full takeover of vault items. Patch to version 1.35.5 immediately. You need to verify that your Vaultwarden instance is on the latest secure version.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Persistence T1539 Steal Application Access Token Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Vaultwarden CVE-2026-43912 - Unauthorized Group Membership Binding

Sigma YAML — free preview 
title: Vaultwarden CVE-2026-43912 - Unauthorized Group Membership Binding
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
  This rule detects attempts to bind a user's membership from one organization to a group in another organization within Vaultwarden, exploiting CVE-2026-43912. This is a critical step in the attack chain, allowing an attacker to gain unauthorized access to data in a different organization by manipulating group relationships.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-43912/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/groups/users'
          - '/api/groups/collections'
      cs-method:
          - 'PUT'
      sc-status:
          - '200'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-43912 Privilege Escalation Vaultwarden versions prior to 1.35.5
CVE-2026-43912 Information Disclosure Vaultwarden versions prior to 1.35.5, via /api/sync and /api/ciphers endpoints
CVE-2026-43912 Auth Bypass Vaultwarden versions prior to 1.35.5, due to lack of organization consistency enforcement for groups_users.users_organizations_uuid and collections_groups.collections_uuid

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 02:20 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8349 — Omec-Project Amf Vulnerability

CVE-2026-8349 — A flaw has been found in omec-project amf up to 2.1.1. This vulnerability affects unknown code of the component NGAP Message Handler. Executing...

vulnerabilityCVEmedium-severitycwe-119
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-8346 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection

CVE-2026-8346 — A vulnerability was detected in D-Link DIR-816 1.10CNB05_R1B011D88210. This affects the function portForward. Performing a manipulation of the argument ip_address results in command...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-8345 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection

CVE-2026-8345 — A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this issue is the function sub_445E7C of the file /goform/singlePortForward. Such...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 5 Sigma