Missing authentication check for emergency access

A missing authentication check, allowing to alter metadata of an emergency access, was found in Vaultwarden version 1.30.3 (or earlier). We have reported this vulnerability to the developer, who addressed the issue and fixed the vulnerability in version 1.32.0.

Once emergency access is initiated, the grantee could modify the access terms, including access level and wait time. This allows the grantee to access grantor's data with a higher access level (full account takeover instead of just view access) and without having to wait for the defined wait time to expire (by default 7 days). This renders the limitation of access defined by the grantor to be ineffective. This access control vulnerability only affects the API endpoint for modifying emergency access. At the endpoint for creating emergency access, Vaultwarden correctly checks user permissions. The exploitability of this finding is therefore limited to the designated grantee gaining higher privilege to access grantor's data. No vulnerabilities that allow unauthorized creating of emergency access for a targeted user were found.

Description

Emergency access is a feature of Vaultwarden that allows a user (access grantor) to designate a trusted contact (grantee), who can request access to their vault data in case of an emergency.

When setting up an emergency access, the grantor can define some terms of the granted access, including:

• Access level: dictates whether the grantee only has view access to the grantor data or grantee should be allowed to take over the grantor account

• Wait time: dictates how long the grantee must wait to access grantor's data after initiating emergency access. This wait time gives the grantor a time window, during which the grantor could revoke the emergency access.

More information about Vaultwarden emergency access can be found in the upstream Bitwarden server emergency access page.

Once emergency access is initiated, its metadata can be changed via the API endpoint PUT /api/emergency-access/<access_UUID>. This allows the grantor to change their created emergency access conditions, including access level and wait time.

It was found that Vaultwarden does not enforce any access control at this API endpoint. Our tests showed that even an unauthenticated user could still modify emergency access with arbitrary data if the access UUID is known. The following screenshot depicts the issue.

To modify an emergency access, the valid access UUID has to be specified as a request parameter. Vaultwarden uses UUID version 4 for entity IDs, which are difficult to enumerate. Nevertheless, the grantee could find this information in the notification mail: