Skip to main content

Vaultwarden CVE-2026-47159

| EUVDEUVD-2026-44694 MEDIUM
Improper Authentication (CWE-287)
2026-07-15 GitHub_M
6.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-accessible unauthenticated endpoint with low complexity; limited to low confidentiality and integrity impact with no scope change or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 15:50 vuln.today
Analysis Generated
Jul 15, 2026 - 15:50 vuln.today

DescriptionCVE.org

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO discovery and pre-validation flow returned organization-related SSO metadata including organizationIdentifier values for arbitrary email addresses and allowed a valid pre-validation JWT to be obtained with only the discovered identifier, enabling SSO-enabled organization enumeration and authentication workflow abuse. This issue is fixed in version 1.36.0.

AnalysisAI

Vaultwarden's SSO discovery endpoint exposed real organization SSO metadata - including organizationIdentifier values - to unauthenticated requests for arbitrary email addresses, enabling organization enumeration and authentication workflow abuse. All Vaultwarden deployments prior to 1.36.0 with SSO enabled are affected; an attacker with network access could query the /organizations/domain/sso/verified endpoint with any email address to harvest real org names and identifiers, then leverage those identifiers to obtain a valid pre-validation JWT through the prevalidate() flow without legitimate credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Vaultwarden instance with SSO enabled
Delivery
POST arbitrary email to /organizations/domain/sso/verified
Exploit
Extract real organizationIdentifier from response
Execution
Call prevalidate() with harvested identifier
Persist
Obtain valid pre-validation JWT
Impact
Abuse SSO authentication workflow for targeted organization

Vulnerability AssessmentAI

Exploitation SSO must be explicitly enabled on the Vaultwarden instance (`SSO_ENABLED=true` or equivalent configuration); instances without SSO configured are not affected by either the enumeration or the pre-validation JWT abuse path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms unauthenticated remote exploitation with low complexity against default-accessible network endpoints. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a publicly accessible Vaultwarden instance and submits a series of POST requests to the `/organizations/domain/sso/verified` endpoint with target email addresses (e.g., corporate email formats), receiving real organizationIdentifier and organization name values in response. Armed with a valid identifier, the attacker calls the `prevalidate()` endpoint to obtain a legitimate pre-validation JWT, which can then be used to initiate or interfere with the SSO authentication flow for that organization's users. …
Remediation Upgrade to Vaultwarden 1.36.0 or later, available at https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0; this is the only complete fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-27801 MEDIUM POC
5.9 Mar 04

Two-factor authentication bypass in Vaultwarden 1.34.3 and earlier allows authenticated attackers to circumvent 2FA prot

CVE-2026-27803 HIGH
8.3 Mar 04

Vaultwarden versions prior to 1.35.4 fail to properly enforce collection management permissions, allowing authenticated

CVE-2026-27802 HIGH
8.3 Mar 04

Vaultwarden versions before 1.35.4 contain a privilege escalation vulnerability that allows authenticated Manager-level

CVE-2026-47158 HIGH
8.3 Jul 15

Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible ser

CVE-2026-47164 HIGH
7.7 Jul 15

Authentication bypass (account takeover) in Vaultwarden before 1.36.0 allows an attacker who controls a federated identi

CVE-2024-56335 HIGH
7.5 Dec 20

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Rated high sev

CVE-2026-43911 MEDIUM
6.8 May 11

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when t

CVE-2026-26012 MEDIUM
6.5 Feb 11

Vaultwarden versions prior to 1.35.3 allow authenticated organization members to bypass collection-level access controls

CVE-2026-47160 MEDIUM
5.8 Jul 15

{domain}/icon.png endpoint, bypassing the server's address blocklist. The icon-fetching HTTP client in src/http_client.r

CVE-2026-27898 MEDIUM
5.4 Mar 04

Vaultwarden versions up to 1.35.4 is affected by authorization bypass through user-controlled key (CVSS 5.4).

CVE-2026-33420 MEDIUM
5.3 May 05

Vaultwarden versions 1.35.4 and earlier expose organization collection metadata to Manager-role users lacking full acces

CVE-2026-31835 MEDIUM
5.3 May 05

Vaultwarden versions 1.35.4 and earlier allow authenticated attackers to permanently disable WebAuthn two-factor authent

Share

CVE-2026-47159 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy