Skip to main content

Vaultwarden CVE-2026-47164

| EUVDEUVD-2026-44695 HIGH
Improper Access Control (CWE-284)
2026-07-15 GitHub_M
7.7
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.7 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
vuln.today AI
7.4 HIGH

AC:H because exploitation needs non-default SSO_SIGNUPS_MATCH_EMAIL=true plus control of a trusted IdP identity; PR:N as no Vaultwarden auth is needed; account takeover gives C:H/I:H, no availability impact so A:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 15:47 vuln.today
Analysis Generated
Jul 15, 2026 - 15:47 vuln.today
CVE Published
Jul 15, 2026 - 15:03 cve.org
HIGH 7.7

DescriptionCVE.org

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO login flow checked the IdP email_verified claim only for new-user creation and not when SSO_SIGNUPS_MATCH_EMAIL=true linked an IdP identity to an existing local account, allowing an attacker-controlled IdP identity asserting a victim email address to bind to and authenticate as that account. This issue is fixed in version 1.36.0.

AnalysisAI

Authentication bypass (account takeover) in Vaultwarden before 1.36.0 allows an attacker who controls a federated identity provider identity to log in as an arbitrary local user by asserting that user's email address. The flaw exists because the SSO login flow validated the IdP 'email_verified' claim only during new-user creation, but skipped it when SSO_SIGNUPS_MATCH_EMAIL=true linked an incoming IdP identity to a pre-existing local account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Control trusted IdP identity
Delivery
Assert victim email, email_verified false/absent
Exploit
Initiate Vaultwarden SSO login
Execution
Email match binds to victim account
Persist
Issued valid session
Impact
Full access to victim vault

Vulnerability AssessmentAI

Exploitation Requires the Vaultwarden server to have SSO enabled AND SSO_SIGNUPS_MATCH_EMAIL=true (the account-linking-by-email mode) - this is the exact configuration setting that makes exploitation possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately but not uniformly severe. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or controls an identity in an IdP federated to (or trusted by) a target Vaultwarden that runs SSO with SSO_SIGNUPS_MATCH_EMAIL=true, and configures that identity to assert the victim's email address with email_verified absent or false. The attacker initiates the SSO login flow; because Vaultwarden matches on email without checking verification, it binds the attacker's IdP identity to the victim's existing local account and issues a valid session, granting full access to the victim's vault. …
Remediation Vendor-released patch: 1.36.0 - upgrade all Vaultwarden instances to 1.36.0 or later, which enforces the email_verified claim on the SSO account-linking path (advisory GHSA-6x5c-84vm-5j56, PR https://github.com/dani-garcia/vaultwarden/pull/7163). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Vaultwarden deployments in your environment and determine which ones have federated identity provider authentication enabled with SSO_SIGNUPS_MATCH_EMAIL configuration. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-27801 MEDIUM POC
5.9 Mar 04

Two-factor authentication bypass in Vaultwarden 1.34.3 and earlier allows authenticated attackers to circumvent 2FA prot

CVE-2026-27803 HIGH
8.3 Mar 04

Vaultwarden versions prior to 1.35.4 fail to properly enforce collection management permissions, allowing authenticated

CVE-2026-27802 HIGH
8.3 Mar 04

Vaultwarden versions before 1.35.4 contain a privilege escalation vulnerability that allows authenticated Manager-level

CVE-2026-47158 HIGH
8.3 Jul 15

Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible ser

CVE-2024-56335 HIGH
7.5 Dec 20

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Rated high sev

CVE-2026-47159 MEDIUM
6.9 Jul 15

Vaultwarden's SSO discovery endpoint exposed real organization SSO metadata - including organizationIdentifier values -

CVE-2026-43911 MEDIUM
6.8 May 11

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when t

CVE-2026-26012 MEDIUM
6.5 Feb 11

Vaultwarden versions prior to 1.35.3 allow authenticated organization members to bypass collection-level access controls

CVE-2026-47160 MEDIUM
5.8 Jul 15

{domain}/icon.png endpoint, bypassing the server's address blocklist. The icon-fetching HTTP client in src/http_client.r

CVE-2026-27898 MEDIUM
5.4 Mar 04

Vaultwarden versions up to 1.35.4 is affected by authorization bypass through user-controlled key (CVSS 5.4).

CVE-2026-33420 MEDIUM
5.3 May 05

Vaultwarden versions 1.35.4 and earlier expose organization collection metadata to Manager-role users lacking full acces

CVE-2026-31835 MEDIUM
5.3 May 05

Vaultwarden versions 1.35.4 and earlier allow authenticated attackers to permanently disable WebAuthn two-factor authent

Share

CVE-2026-47164 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy