Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network endpoint with low complexity but requires an existing ManageUsers-granted account (PR:L); impact is integrity-high from removing Admins with low availability and no confidentiality effect.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.
AnalysisAI
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a Custom role with the ManageUsers permission delete Admin accounts from the organization, undermining administrative control. The flaw stems from the bulk user-remove (DELETE) endpoint omitting the role-hierarchy guard that the single-user removal path enforces, so a lower-privileged user can strip Admins by submitting their organization-user IDs in a batch request. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated organization member assigned a Custom role that includes the ManageUsers permission (PR:L) on a self-hosted Bitwarden Server older than 2026.5.0; the attacker must target the bulk user-remove DELETE endpoint and supply the organization-user IDs of Admin accounts, exploiting the absence of the role-hierarchy check that the single-user removal path enforces. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderately consistent and point to a real but bounded authorization risk rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An organization grants a team lead a Custom role with the ManageUsers permission so they can onboard staff; that account (or an attacker who phishes it) sends a single bulk DELETE request to the user-remove endpoint containing the organization-user IDs of the org's Admins. Because the bulk path skips the role-hierarchy guard, the Admins are removed, leaving the organization without higher-tier oversight. … |
| Remediation | Vendor-released patch: upgrade Bitwarden Server to 2026.5.0 or later (release: https://github.com/bitwarden/server/releases/tag/v2026.5.0), which adds the missing role-hierarchy check to the bulk user-remove endpoint. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all organization members with Custom roles holding the ManageUsers permission and assess exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes b
Broken access control in Bitwarden Server before 2026.5.0 exposes organization billing data to any authenticated user vi
Bitwarden Server prior to v2026.4.1 allows any authenticated user to write ciphers (encrypted credentials) into arbitrar
Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by re
Devolutions Server versions 2026.1.11 and earlier allow authenticated remote attackers to bypass multi-factor authentica
Devolutions Server contains an improper certificate validation vulnerability in its PAM propagation WinRM connections th
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version
Tanium addressed a local privilege escalation vulnerability in Tanium Server. [CVSS 6.7 MEDIUM]
Tanium addressed a local privilege escalation vulnerability in Tanium Module Server. [CVSS 6.7 MEDIUM]
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: ImportantShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39541
GHSA-6f6g-3qf9-xqc4