Skip to main content

Bitwarden Server CVE-2026-60104

| EUVDEUVD-2026-42367 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-08 VulnCheck GHSA-5g65-rmxf-rgj6
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.7 HIGH

Any low-privileged org member (PR:L) can exploit remotely with low complexity, but an admin must approve the request (UI:R); stealing another user's key crosses security authority (S:C) with high C/I and no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jul 08, 2026 - 22:28 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 08, 2026 - 22:28 vuln.today
Analysis Updated
Jul 08, 2026 - 22:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 22:22 vuln.today
cvss_changed
Severity Changed
Jul 08, 2026 - 22:22 NVD
HIGH CRITICAL
CVSS changed
Jul 08, 2026 - 22:22 NVD
8.5 (HIGH) 9.3 (CRITICAL)
Analysis Generated
Jul 08, 2026 - 20:22 vuln.today

DescriptionCVE.org

Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryption authentication request, bound to an attacker-controlled public key, that is readable from an unauthenticated endpoint once approved resulting in disclosure of the victim's vault key and account takeover.

AnalysisAI

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any other member's vault key and a victim-scoped access token. The POST /auth-requests/admin-request handler never verifies that the email in the request body belongs to the authenticated caller (CWE-639), so an attacker can create a Trusted Device Encryption admin-approval request for a victim, bound to an attacker-controlled public key; once approved, the encrypted key material is retrievable from an unauthenticated endpoint. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged org member
Delivery
POST /auth-requests/admin-request with victim email + attacker public key
Exploit
Organization admin approves the request
Execution
Retrieve approved request from unauthenticated endpoint
Impact
Decrypt victim vault key and use scoped token to take over account

Vulnerability AssessmentAI

Exploitation The attacker must already hold a low-privileged member account in the same Bitwarden organization as the victim (PR:L) and must supply the victim's email plus an attacker-controlled public key in the admin-request body. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high priority rather than an inflated high-CVSS finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding an ordinary low-privileged membership in a Bitwarden organization sends a POST /auth-requests/admin-request specifying a victim colleague's email and an attacker-controlled public key. An organization administrator, believing it is a normal device-approval request, approves it; the attacker then fetches the now-approved request from the unauthenticated endpoint, decrypts the victim's vault key with the attacker's private key, and uses the victim-scoped access token to take over the account. …
Remediation Vendor-released patch: 2026.6.0 - upgrade self-hosted Bitwarden Server to 2026.6.0 or later, which adds server-side validation that the admin-request Type is AdminApproval and that the authenticated caller's user id matches the target account (PR #7615 / commit dcf4c486b2b5bedecc03a48b427243328cc74a9a). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all self-hosted Bitwarden Server instances and their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Server

View all
CVE-2018-1000881 CRITICAL POC
9.8 Dec 20

Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio

CVE-2026-43639 HIGH POC
8.9 May 11

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access

CVE-2021-42973 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl

CVE-2021-42972 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple

CVE-2026-43640 HIGH POC
8.6 May 11

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri

CVE-2019-25609 HIGH POC
8.6 Mar 22

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel

CVE-2023-30223 HIGH POC
7.5 Jun 16

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen

CVE-2023-30222 HIGH POC
7.5 Jun 16

An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to

CVE-2026-57520 HIGH POC
7.1 Jun 25

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a

CVE-2017-7855 MEDIUM POC
6.1 Aug 31

In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet

CVE-2022-39395 CRITICAL
9.9 Nov 10

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se

CVE-2026-49261 CRITICAL
9.8 Jun 11

OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes b

Share

CVE-2026-60104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy