Skip to main content

Bitwarden Server EUVDEUVD-2026-39541

| CVE-2026-57520 HIGH
Missing Authorization (CWE-862)
2026-06-25 VulnCheck GHSA-6f6g-3qf9-xqc4
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Network endpoint with low complexity but requires an existing ManageUsers-granted account (PR:L); impact is integrity-high from removing Admins with low availability and no confidentiality effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 20:20 vuln.today
Analysis Generated
Jun 25, 2026 - 20:20 vuln.today

DescriptionCVE.org

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.

AnalysisAI

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a Custom role with the ManageUsers permission delete Admin accounts from the organization, undermining administrative control. The flaw stems from the bulk user-remove (DELETE) endpoint omitting the role-hierarchy guard that the single-user removal path enforces, so a lower-privileged user can strip Admins by submitting their organization-user IDs in a batch request. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Custom user with ManageUsers
Delivery
Enumerate Admin organization-user IDs
Exploit
Craft bulk DELETE user-remove request
Execution
Submit IDs bypassing role-hierarchy guard
Impact
Admin accounts removed from organization

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated organization member assigned a Custom role that includes the ManageUsers permission (PR:L) on a self-hosted Bitwarden Server older than 2026.5.0; the attacker must target the bulk user-remove DELETE endpoint and supply the organization-user IDs of Admin accounts, exploiting the absence of the role-hierarchy check that the single-user removal path enforces. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately consistent and point to a real but bounded authorization risk rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An organization grants a team lead a Custom role with the ManageUsers permission so they can onboard staff; that account (or an attacker who phishes it) sends a single bulk DELETE request to the user-remove endpoint containing the organization-user IDs of the org's Admins. Because the bulk path skips the role-hierarchy guard, the Admins are removed, leaving the organization without higher-tier oversight. …
Remediation Vendor-released patch: upgrade Bitwarden Server to 2026.5.0 or later (release: https://github.com/bitwarden/server/releases/tag/v2026.5.0), which adds the missing role-hierarchy check to the bulk user-remove endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all organization members with Custom roles holding the ManageUsers permission and assess exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Server

View all
CVE-2026-43639 HIGH POC
8.9 May 11

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access

CVE-2026-43640 HIGH POC
8.6 May 11

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri

CVE-2019-25609 HIGH POC
8.6 Mar 22

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel

CVE-2026-49261 CRITICAL
9.8 Jun 11

OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes b

CVE-2026-57521 MEDIUM POC
5.3 Jun 25

Broken access control in Bitwarden Server before 2026.5.0 exposes organization billing data to any authenticated user vi

CVE-2026-43638 MEDIUM POC
5.3 May 11

Bitwarden Server prior to v2026.4.1 allows any authenticated user to write ciphers (encrypted credentials) into arbitrar

CVE-2026-4924 HIGH
8.2 Apr 01

Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by re

CVE-2026-4828 HIGH
8.2 Apr 01

Devolutions Server versions 2026.1.11 and earlier allow authenticated remote attackers to bypass multi-factor authentica

CVE-2026-4434 HIGH
8.1 Mar 20

Devolutions Server contains an improper certificate validation vulnerability in its PAM propagation WinRM connections th

CVE-2026-41161 MEDIUM
6.9 May 08

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version

CVE-2025-15316 MEDIUM
6.7 Feb 09

Tanium addressed a local privilege escalation vulnerability in Tanium Server. [CVSS 6.7 MEDIUM]

CVE-2025-15315 MEDIUM
6.7 Feb 09

Tanium addressed a local privilege escalation vulnerability in Tanium Module Server. [CVSS 6.7 MEDIUM]

Vendor StatusVendor

SUSE

Severity: Important

Share

EUVD-2026-39541 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy