Lucene search
K

42 matches found

NVD
NVD
added 5 days ago6 views

CVE-2026-60104

Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryptio...

9.3CVSS0.00186EPSS
Exploits0References5
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-42367

Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryptio...

9.3CVSS6AI score0.00186EPSS
Exploits0References5
CVE
CVE
added 5 days ago18 views

CVE-2026-60104

Bitwarden Server before 2026.6.0 is vulnerable to an authorization bypass in the admin/auth request flow. A low-privileged organization member can exploit a mismatch in the POST /auth-requests/admin-request handling to bind a Trusted Device Encryption request to an attacker-controlled public key,...

9.3CVSS6AI score0.00186EPSS
Exploits0References5
Cvelist
Cvelist
added 5 days ago35 views

CVE-2026-60104 Bitwarden Server < 2026.6.0 Authorization Bypass via Admin Auth Request

Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryptio...

9.3CVSS0.00186EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 5 days ago4 views

PT-2026-56552

Name of the Vulnerable Software and Affected Versions Bitwarden Server versions prior to 2026.6.0 Description An issue exists where the server fails to verify if the email address provided in the body of the 'POST /auth-requests/admin-request' endpoint belongs to the authenticated user. This allo...

9.3CVSS6.1AI score0.00186EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 2026/06/25 7:9 p.m.5 views

CVE-2026-57522

Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens, which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template referenc...

3.5CVSS6AI score0.00262EPSS
Exploits1References6
CVE
CVE
added 2026/06/25 7:9 p.m.17 views

CVE-2026-57522

CVE-2026-57522 affects Bitwarden Server prior to 2026.5.0. The vulnerability is a JSON injection in IntegrationTemplateProcessor.ReplaceTokens(), which inserts user-controlled values into event-integration templates without JSON encoding. If an organization uses an event integration whose templat...

5CVSS6AI score0.00262EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2026/06/25 7:9 p.m.20 views

CVE-2026-57521 Bitwarden Server < 2026.5.0 Broken Access Control via PreviewInvoiceController

Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers...

5.3CVSS0.00248EPSS
Exploits1References5
CVE
CVE
added 2026/06/25 7:9 p.m.20 views

CVE-2026-57521

Bitwarden Server (pre-2026.5.0) has a broken access control in PreviewInvoiceController: any authenticated user can supply an arbitrary organizationId to access that organization’s billing data without membership checks. The issue stems from the missing ManageOrganizationBillingRequirement on the...

5.3CVSS6AI score0.00248EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2026/06/25 7:8 p.m.20 views

CVE-2026-57520 Bitwarden Server < 2026.5.0 Privilege Escalation via Bulk User Remove Endpoint

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin...

7.1CVSS0.00354EPSS
Exploits1References5
CVE
CVE
added 2026/06/25 7:8 p.m.26 views

CVE-2026-57520

Bitwarden Server prior to 2026.5.0 is affected by a privilege-escalation vulnerability in the bulk user-remove endpoint. The issue arises from a missing role hierarchy check, allowing authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by supplying...

7.1CVSS5.9AI score0.00354EPSS
Exploits1References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/25 7:8 p.m.7 views

CVE-2026-57520

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin...

7.1CVSS5.9AI score0.00354EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.8 views

PT-2026-52576

Name of the Vulnerable Software and Affected Versions Bitwarden Server versions prior to 2026.5.0 Description An issue exists in the IntegrationTemplateProcessor.ReplaceTokens function where user-controlled values are substituted into event-integration templates without proper JSON encoding. An...

5CVSS5.9AI score0.00262EPSS
Exploits1References9
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.15 views

PT-2026-52574

Name of the Vulnerable Software and Affected Versions Bitwarden Server versions prior to 2026.5.0 Description An issue exists where authenticated Custom users with the ManageUsers permission can escalate privileges to remove Admin accounts from an organization. This occurs due to a missing role...

7.1CVSS5.8AI score0.00354EPSS
Exploits1References8
EUVD
EUVD
added 2026/05/11 6:31 p.m.20 views

EUVD-2026-29170

Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via POST /providers/providerId/clients/existing, resulting in takeover of the target organization; self-hosted installations ar...

8.9CVSS5.9AI score0.00596EPSS
Exploits1References6
EUVD
EUVD
added 2026/05/11 6:31 p.m.13 views

EUVD-2026-29171

Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session...

8.6CVSS5.8AI score0.00504EPSS
Exploits1References6
EUVD
EUVD
added 2026/05/11 6:31 p.m.15 views

EUVD-2026-29130

Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via POST /ciphers/import-organization by submitting an empty collections array, which causes the server-side permission check to be...

5.4CVSS5.9AI score0.00188EPSS
Exploits1References6
NVD
NVD
added 2026/05/11 6:16 p.m.22 views

CVE-2026-43638

Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via POST /ciphers/import-organization by submitting an empty collections array, which causes the server-side permission check to be...

5.4CVSS0.00188EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/05/11 5:14 p.m.33 views

CVE-2026-43640 Bitwarden Server < 2026.4.1 Authentication Bypass via SCIM API Key

Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session...

8.6CVSS0.00504EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/05/11 5:14 p.m.7 views

CVE-2026-43640 Bitwarden Server < 2026.4.1 Authentication Bypass via SCIM API Key

Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session...

8.6CVSS5.8AI score0.00504EPSS
Exploits1References5
Rows per page
Query Builder