CVE-2026-60104
Bitwarden Server < 2026.6.0 Authorization Bypass via Admin Auth Request
CVSS Score
8.7
EPSS Score
0.2%
EPSS Percentile
8th
Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryption authentication request, bound to an attacker-controlled public key, that is readable from an unauthenticated endpoint once approved resulting in disclosure of the victim's vault key and account takeover.
| CWE | CWE-639 |
| Vendor | bitwarden |
| Product | server |
| Published | Jul 8, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for bitwarden server
Be the first to know when new high vulnerabilities affecting bitwarden server are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
bitwarden / server
0 < 2026.6.0
References
sanjokkarki.com.np: https://sanjokkarki.com.np/blog/bitwarden-vault-key-heist github.com: https://github.com/bitwarden/server/releases#release-v2026.6.0 github.com: https://github.com/bitwarden/server/pull/7615 github.com: https://github.com/bitwarden/server/commit/dcf4c486b2b5bedecc03a48b427243328cc74a9a vulncheck.com: https://www.vulncheck.com/advisories/bitwarden-server-authorization-bypass-via-admin-auth-request
Credits
Sanjok Karki