CVE-2024-39925: An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an organization. As a res...

Description

An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an organization. As a result, the shared organization key is not rotated when a member departs. Consequently, the departing member, whose access should be revoked, retains a copy of the organization key. Additionally, the application fails to adequately protect some encrypted data stored on the server. Consequently, an authenticated user could gain unauthorized access to encrypted data of any organization, even if the user is not a member of the targeted organization. However, the user would need to know the corresponding organizationId. Hence, if a user (whose access to an organization has been revoked) already possesses the organization key, that user could use the key to decrypt the leaked data.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.57%

43.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-200

Affected Software

Vendor	Product	Versions
Dani-Garcia	Vaultwarden	1.30.3

References

https://github.com/dani-garcia/vaultwarden/releasesRelease Notes
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0Release Notes
https://www.mgm-sp.com/cve/missing-rotation-of-the-organization-keyThird Party Advisory

Timeline

Published: Sep 13, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-39925?

An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an organization. As a result, the shared organization key is not rotated when a member departs. Consequently, the departing member, whose access should be revoked, retains a copy of the organization key. Additionally, the application fails to adequately protect some encrypted data stored on the server. Consequently, an authenticated user could gain unauthorized access to encrypted data of any organization, even if the user is not a member of the targeted organization. However, the user would need to know the corresponding organizationId. Hence, if a user (whose access to an organization has been revoked) already possesses the organization key, that user could use the key to decrypt the leaked data.

How severe is CVE-2024-39925?

CVE-2024-39925 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.57% probability of exploitation in the next 30 days.

How do I fix CVE-2024-39925?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.