Skip to main content

Vaultwarden EUVDEUVD-2026-44693

| CVE-2026-47158 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-15 GitHub_M
8.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.3 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
vuln.today AI
8.8 HIGH

Network CSRF against the SSO flow needs no attacker auth (PR:N) but the victim must complete IdP login (UI:R); full session takeover yields high confidentiality, integrity and availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 15:47 vuln.today
Analysis Generated
Jul 15, 2026 - 15:47 vuln.today
CVE Published
Jul 15, 2026 - 15:01 cve.org
HIGH 8.3

DescriptionCVE.org

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO authorization flow did not bind the OAuth state parameter accepted by /connect/authorize to the initiating browser session, allowed attacker-controlled PKCE parameters, and left SsoAuth records intact after failed token exchange, allowing an unauthenticated attacker to induce IdP authentication and redeem tokens for a fully authenticated session. This issue is fixed in version 1.36.0.

AnalysisAI

Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible server) prior to 1.36.0, where the /connect/authorize endpoint fails to bind the OAuth state parameter to the initiating browser session, accepts attacker-controlled PKCE parameters, and leaves SsoAuth records intact after a failed token exchange. By tricking a victim into completing IdP authentication (UI:R), an unauthenticated attacker can redeem the resulting tokens for a fully authenticated session and take over the victim's vault. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft SSO authorize request with attacker PKCE/state
Delivery
Lure victim to complete IdP login
Exploit
Unbound state accepted at /connect/authorize
Execution
Redeem code for victim tokens
Impact
Obtain fully authenticated vault session

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Vaultwarden instance has the SSO/OIDC login integration enabled and configured against an identity provider - this is an opt-in, non-default feature and the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H, score 8.3) describes a network-reachable, low-complexity, unauthenticated attack that requires user interaction - consistent with a CSRF/OAuth-binding weakness where the victim must be lured into completing an IdP login. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker initiates an SSO authorization request against a victim's Vaultwarden server using attacker-chosen PKCE parameters and an unbound state value, then lures the victim (e.g., via a crafted link) into completing authentication at the identity provider. Because the state is not tied to the victim's browser session and the SsoAuth record persists, the attacker redeems the resulting authorization code/tokens to obtain a fully authenticated session as the victim. …
Remediation Vendor-released patch: upgrade to Vaultwarden 1.36.0 or later, which binds the SSO flow to the initiating browser via a VW_SSO_BINDING cookie and a new sso_auth.binding_hash column and applies the required database migration automatically on startup - see the advisory at https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-pfp2-jhgq-6hg5, the fix in https://github.com/dani-garcia/vaultwarden/pull/7163 (commit d297e274a35dccd0f5d935e9d5934e0f7e9c0a87), and the release notes at https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all Vaultwarden deployments for versions prior to 1.36.0, disable OAuth/SSO authentication methods if not business-critical, and communicate to users to use password-based login only until remediation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-27801 MEDIUM POC
5.9 Mar 04

Two-factor authentication bypass in Vaultwarden 1.34.3 and earlier allows authenticated attackers to circumvent 2FA prot

CVE-2026-27803 HIGH
8.3 Mar 04

Vaultwarden versions prior to 1.35.4 fail to properly enforce collection management permissions, allowing authenticated

CVE-2026-27802 HIGH
8.3 Mar 04

Vaultwarden versions before 1.35.4 contain a privilege escalation vulnerability that allows authenticated Manager-level

CVE-2026-47164 HIGH
7.7 Jul 15

Authentication bypass (account takeover) in Vaultwarden before 1.36.0 allows an attacker who controls a federated identi

CVE-2024-56335 HIGH
7.5 Dec 20

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Rated high sev

CVE-2026-47159 MEDIUM
6.9 Jul 15

Vaultwarden's SSO discovery endpoint exposed real organization SSO metadata - including organizationIdentifier values -

CVE-2026-43911 MEDIUM
6.8 May 11

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when t

CVE-2026-26012 MEDIUM
6.5 Feb 11

Vaultwarden versions prior to 1.35.3 allow authenticated organization members to bypass collection-level access controls

CVE-2026-47160 MEDIUM
5.8 Jul 15

{domain}/icon.png endpoint, bypassing the server's address blocklist. The icon-fetching HTTP client in src/http_client.r

CVE-2026-27898 MEDIUM
5.4 Mar 04

Vaultwarden versions up to 1.35.4 is affected by authorization bypass through user-controlled key (CVSS 5.4).

CVE-2026-33420 MEDIUM
5.3 May 05

Vaultwarden versions 1.35.4 and earlier expose organization collection metadata to Manager-role users lacking full acces

CVE-2026-31835 MEDIUM
5.3 May 05

Vaultwarden versions 1.35.4 and earlier allow authenticated attackers to permanently disable WebAuthn two-factor authent

Share

EUVD-2026-44693 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy