CVE-2026-27898 — MEDIUM (5.4)

Q: How severe is CVE-2026-27898?

CVE-2026-27898 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-27898?

Check the references section above for vendor advisories and patch information. Affected products include: Dani-Garcia Vaultwarden.

Vulnerability Description

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.). This issue has been patched in version 1.35.4.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Dani-Garcia	Vaultwarden	< 1.35.4

Related Weaknesses (CWE)

CWE-639

References

https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-w9f8-m526-h7Vendor Advisory

FAQ

What is CVE-2026-27898?

CVE-2026-27898 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id an...

How severe is CVE-2026-27898?

CVE-2026-27898 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-27898?

Check the references section above for vendor advisories and patch information. Affected products include: Dani-Garcia Vaultwarden.