CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24365 – vaultwarden allows escalation of privilege via variable confusion in OrgHeaders trait
https://notcve.org/view.php?id=CVE-2025-24365
27 Jan 2025 — vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker can obtain owner rights of other organization. Hacker should know the ID of victim organization (in real case the user can be a part of the organization as an unprivileged user) and be the owner/admin of other organization (by default you can create your own organization) in order to attack. This vulnerability is fixed in 1.33.0. • https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0 • CWE-284: Improper Access Control •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24364 – vaultwarden allows RCE in the admin panel
https://notcve.org/view.php?id=CVE-2025-24364
27 Jan 2025 — vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker with authenticated access to the vaultwarden admin panel can execute arbitrary code in the system. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email. This vulne... • https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56335 – Privilege escalation allows organization groups to be updated/deleted if their UUID is known in vaultwarden
https://notcve.org/view.php?id=CVE-2024-56335
20 Dec 2024 — vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. In affected versions an attacker is capable of updating or deleting groups from an organization given a few conditions: 1. The attacker has a user account in the server. 2. The attacker's account has admin or owner permissions in an unrelated organization. 3. The attacker knows the target organization's UUID and the target group's UUID. • https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-g65h-982x-4m5m • CWE-269: Improper Privilege Management CWE-284: Improper Access Control CWE-285: Improper Authorization CWE-287: Improper Authentication •