CVE-2026-57520

HIGH 7.1

Bitwarden Server < 2026.5.0 Privilege Escalation via Bulk User Remove Endpoint

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

0th

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.

CWE	CWE-862
Vendor	bitwarden
Product	server
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for bitwarden server

Be the first to know when new high vulnerabilities affecting bitwarden server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Affected Versions

bitwarden / server

0 < 2026.5.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

sanjokkarki.com.np: https://sanjokkarki.com.np/blog/bitwarden-bulk-remove-admin github.com: https://github.com/bitwarden/server/releases/tag/v2026.5.0 github.com: https://github.com/bitwarden/server/pull/7526 github.com: https://github.com/bitwarden/server/commit/901bb67157c0f80d369c40b76742fdf7623da4e4 vulncheck.com: https://www.vulncheck.com/advisories/bitwarden-server-privilege-escalation-via-bulk-user-remove-endpoint

Credits

Sanjok Karki