{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-27T03:55:00.111","vulnerabilities":[{"cve":{"id":"CVE-2026-27898","sourceIdentifier":"security-advisories@github.com","published":"2026-03-04T22:16:18.373","lastModified":"2026-06-17T10:27:50.620","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call \"PUT /api/ciphers/{id}/partial\" Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes cipherDetails (including name, notes, data, secureNote, etc.). This issue has been patched in version 1.35.4."},{"lang":"es","value":"Vaultwarden es un servidor compatible con Bitwarden no oficial escrito en Rust, anteriormente conocido como bitwarden_rs. Antes de la versión 1.35.4, un usuario regular autenticado puede especificar el cipher_id de otro usuario y llamar a 'PUT /api/ciphers/{id}/partial'. Aunque la API de recuperación estándar deniega correctamente el acceso a ese cifrado, el endpoint de actualización parcial devuelve 200 OK y expone cipherDetails (incluyendo nombre, notas, datos, secureNote, etc.). Este problema ha sido parcheado en la versión 1.35.4."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"dani-garcia","product":"vaultwarden","versions":[{"version":"< 1.35.4","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-05T15:29:18.966051Z","id":"CVE-2026-27898","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*","versionEndExcluding":"1.35.4","matchCriteriaId":"3EE3AB66-F61B-479C-A6C3-C2EEEB6FD55A"}]}]}],"references":[{"url":"https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-w9f8-m526-h7fh","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}