Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible unauthenticated endpoint with low complexity; limited to low confidentiality and integrity impact with no scope change or availability effect.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO discovery and pre-validation flow returned organization-related SSO metadata including organizationIdentifier values for arbitrary email addresses and allowed a valid pre-validation JWT to be obtained with only the discovered identifier, enabling SSO-enabled organization enumeration and authentication workflow abuse. This issue is fixed in version 1.36.0.
AnalysisAI
Vaultwarden's SSO discovery endpoint exposed real organization SSO metadata - including organizationIdentifier values - to unauthenticated requests for arbitrary email addresses, enabling organization enumeration and authentication workflow abuse. All Vaultwarden deployments prior to 1.36.0 with SSO enabled are affected; an attacker with network access could query the /organizations/domain/sso/verified endpoint with any email address to harvest real org names and identifiers, then leverage those identifiers to obtain a valid pre-validation JWT through the prevalidate() flow without legitimate credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | SSO must be explicitly enabled on the Vaultwarden instance (`SSO_ENABLED=true` or equivalent configuration); instances without SSO configured are not affected by either the enumeration or the pre-validation JWT abuse path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms unauthenticated remote exploitation with low complexity against default-accessible network endpoints. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a publicly accessible Vaultwarden instance and submits a series of POST requests to the `/organizations/domain/sso/verified` endpoint with target email addresses (e.g., corporate email formats), receiving real organizationIdentifier and organization name values in response. Armed with a valid identifier, the attacker calls the `prevalidate()` endpoint to obtain a legitimate pre-validation JWT, which can then be used to initiate or interfere with the SSO authentication flow for that organization's users. … |
| Remediation | Upgrade to Vaultwarden 1.36.0 or later, available at https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0; this is the only complete fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Vaultwarden
View allTwo-factor authentication bypass in Vaultwarden 1.34.3 and earlier allows authenticated attackers to circumvent 2FA prot
Vaultwarden versions prior to 1.35.4 fail to properly enforce collection management permissions, allowing authenticated
Vaultwarden versions before 1.35.4 contain a privilege escalation vulnerability that allows authenticated Manager-level
Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible ser
Authentication bypass (account takeover) in Vaultwarden before 1.36.0 allows an attacker who controls a federated identi
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Rated high sev
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when t
Vaultwarden versions prior to 1.35.3 allow authenticated organization members to bypass collection-level access controls
{domain}/icon.png endpoint, bypassing the server's address blocklist. The icon-fetching HTTP client in src/http_client.r
Vaultwarden versions up to 1.35.4 is affected by authorization bypass through user-controlled key (CVSS 5.4).
Vaultwarden versions 1.35.4 and earlier expose organization collection metadata to Manager-role users lacking full acces
Vaultwarden versions 1.35.4 and earlier allow authenticated attackers to permanently disable WebAuthn two-factor authent
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44694