Server Security Vulnerabilities and Issues — Server CVE List

BitwardenServer

8 matches found

CVE•added 2019/12/12 6:7 p.m.•50 views

CVE-2019-19766

CVE-2019-19766 affects Bitwarden server 1.32.0 and earlier, with a cryptographic issue described as a potentially unwanted KDF. Connected sources (CNVD, RH, NVD, OSV, OSV) identify Bitwarden server as the affected product and versions ≤1.32.0; the CVSS vectors indicate Confidentiality impact (per...

7.5CVSS7.5AI score0.01346EPSS

CVE•added 2020/07/21 4:59 p.m.•41 views

CVE-2020-15879

Bitwarden Server 1.35.1 is affected by CVE-2020-15879: it allows SSRF because it does not consider certain IPv6 addresses (fc*/fd*/fe*/ff* and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16). The connected sources confirm a SSRF issue in Bitwarden Server, but e...

7.5CVSS7.5AI score0.02699EPSS

CVE•added 2026/05/11 5:13 p.m.•37 views

CVE-2026-43638

Bitwarden Server before 2026.4.1 contains a missing authorization vulnerability that lets any authenticated user write ciphers into an arbitrary organization via POST /ciphers/import-organization by submitting an empty collections array, bypassing the server-side permission check. Affected produc...

5.4CVSS5.9AI score0.00188EPSS

Web

CVE•added 2026/05/11 5:14 p.m.•37 views

CVE-2026-43639

Bitwarden Server prior to v2026.4.0 is affected by a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via POST /providers/{providerId}/clients/existing, resulting in takeover of the target organization. The issue is restric...

9.1CVSS5.9AI score0.00596EPSS

Web

CVE•added 2026/05/11 5:14 p.m.•22 views

CVE-2026-43640

Bitwarden Server (affected: v2026.4.1 and earlier) contains an authentication bypass for SCIM API key retrieval/rotation. A logged-in user with SCIM management privileges can obtain the organization's SCIM API key without re-authenticating the master password, exposing sensitive credentials. Root...

8.6CVSS5.8AI score0.00504EPSS

CVE•added 5 days ago•11 views

CVE-2026-57520

Bitwarden Server prior to 2026.5.0 is affected by a privilege-escalation vulnerability in the bulk user-remove endpoint. The issue arises from a missing role hierarchy check, allowing authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by supplying...

7.1CVSS5.9AI score0.00277EPSS

CVE•added 5 days ago•7 views

CVE-2026-57521

Bitwarden Server (pre-2026.5.0) has a broken access control in PreviewInvoiceController: any authenticated user can supply an arbitrary organizationId to access that organization’s billing data without membership checks. The issue stems from the missing ManageOrganizationBillingRequirement on the...

5.3CVSS6AI score0.00211EPSS

CVE•added 5 days ago•6 views

CVE-2026-57522

CVE-2026-57522 affects Bitwarden Server prior to 2026.5.0. The vulnerability is a JSON injection in IntegrationTemplateProcessor.ReplaceTokens(), which inserts user-controlled values into event-integration templates without JSON encoding. If an organization uses an event integration whose templat...

5CVSS6AI score0.00217EPSS