๐Ÿ” CVE Alert

CVE-2026-60104

HIGH 8.7

Bitwarden Server < 2026.6.0 Authorization Bypass via Admin Auth Request

CVSS Score
8.7
EPSS Score
0.2%
EPSS Percentile
8th

Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryption authentication request, bound to an attacker-controlled public key, that is readable from an unauthenticated endpoint once approved resulting in disclosure of the victim's vault key and account takeover.

CWE CWE-639
Vendor bitwarden
Product server
Published Jul 8, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for bitwarden server

Be the first to know when new high vulnerabilities affecting bitwarden server are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Affected Versions

bitwarden / server
0 < 2026.6.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
sanjokkarki.com.np: https://sanjokkarki.com.np/blog/bitwarden-vault-key-heist github.com: https://github.com/bitwarden/server/releases#release-v2026.6.0 github.com: https://github.com/bitwarden/server/pull/7615 github.com: https://github.com/bitwarden/server/commit/dcf4c486b2b5bedecc03a48b427243328cc74a9a vulncheck.com: https://www.vulncheck.com/advisories/bitwarden-server-authorization-bypass-via-admin-auth-request

Credits

Sanjok Karki