GHSA-w9f8-m526-h7fh
MEDIUMVaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
vaultwardenReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.
Description
Summary
In the test environment, it was confirmed that an authenticated regular user can specify another user’s cipher_id and call:
PUT /api/ciphers/{id}/partial
Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.).
Description
put_cipher_partial retrieves the target Cipher but does not perform ownership or access control checks before returning to_json.
Authorization checks present in the normal update API are missing here.
src/api/core/ciphers.rs:717
let Some(cipher) = Cipher::find_by_uuid(&cipher_id, &conn).await else {
err!("Cipher doesn't exist")
};
if let Some(ref folder_id) = data.folder_id {
if Folder::find_by_uuid_and_user(folder_id, &headers.user.uuid, &conn).await.is_none() {
err!("Invalid folder", "Folder does not exist or belongs to another user");
}
}
// Move cipher
cipher.move_to_folder(data.folder_id.clone(), &headers.user.uuid, &conn).await?;
// Update favorite
cipher.set_favorite(Some(data.favorite), &headers.user.uuid, &conn).await?;
Ok(Json(cipher.to_json(&headers.host, &headers.user.uuid, None, CipherSyncType::User, &conn).await?))
By comparison, the standard update API includes an explicit authorization check: src/api/core/ciphers.rs:688
if !cipher.is_write_accessible_to_user(&headers.user.uuid, &conn).await {
err!("Cipher is not write accessible")
}
The to_json method does not abort processing when access restrictions are not met; instead, it proceeds to construct and return a detailed response.
src/db/models/cipher.rs:175
let (read_only, hide_passwords, _) = if sync_type == CipherSyncType::User {
match self.get_access_restrictions(user_uuid, cipher_sync_data, conn).await {
Some((ro, hp, mn)) => (ro, hp, mn),
None => {
error!("Cipher ownership assertion failure");
(true, true, false)
}
}
} else {
(false, false, false)
};
src/db/models/cipher.rs:335
let mut json_object = json!({
"object": "cipherDetails",
"id": self.uuid,
"type": self.atype,
...
"name": self.name,
"notes": self.notes,
"fields": fields_json,
"data": data_json,
...
});
Preconditions
- The attacker possesses a valid regular-user JWT (Bearer token).
- The attacker knows the target (victim)
cipher_id.
Steps to Reproduce
-
Prepare the attacker JWT and victim
cipher_id(preconditions). -
Baseline check: confirm that standard retrieval is denied.
<img width="2014" height="855" alt="image" src="https://github.com/user-attachments/assets/32b12cc9-3672-4a88-afd0-ef7715474662" /> -
Execute the vulnerable API. Confirm that 200 OK is returned and that
<img width="2018" height="1113" alt="image" src="https://github.com/user-attachments/assets/341b330c-8d55-4f06-a622-0d7da28f62fd" />cipherDetailsincludes fields such asid,name,notes,secureNote, etc.
Potential Impact
- Unauthorized disclosure of other users’ cipher information (confidentiality breach).
- Creation of unauthorized associations within the attacker’s user context (e.g.,
favoriteor folder operations). - The response from
/api/ciphers/<cipher_id>/partialincludesattachments[].url.
In filesystem (FS) deployments, this returns a tokenized endpoint such as:
/attachments/<cipher>/<file>?token=...
In object storage deployments, it returns a short-lived pre-signed URL.
As a result, an attacker can use these URLs to directly download attachment data that they are not authorized to access.
This can lead to disclosure of sensitive information stored in the Vault, including personal data and authentication credentials. Such exposure may further result in account compromise, lateral movement, and other secondary impacts.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🦀crates.io | vaultwarden | all versions | 1.35.4 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for vaultwarden. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update vaultwarden to 1.35.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-w9f8-m526-h7fh is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-w9f8-m526-h7fh is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-w9f8-m526-h7fh. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-w9f8-m526-h7fh in your dependencies?
O3 detects GHSA-w9f8-m526-h7fh across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.