Lucene search
K

6 matches found

CVE
CVE
added 2026/05/11 5:13 p.m.41 views

CVE-2026-43638

Bitwarden Server before 2026.4.1 contains a missing authorization vulnerability that lets any authenticated user write ciphers into an arbitrary organization via POST /ciphers/import-organization by submitting an empty collections array, bypassing the server-side permission check. Affected produc...

5.4CVSS5.9AI score0.00188EPSS
Web
CVE
CVE
added 2026/05/11 5:14 p.m.41 views

CVE-2026-43639

Bitwarden Server prior to v2026.4.0 is affected by a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via POST /providers/{providerId}/clients/existing, resulting in takeover of the target organization. The issue is restric...

9.1CVSS5.9AI score0.00596EPSS
Web
CVE
CVE
added 2026/06/25 7:8 p.m.25 views

CVE-2026-57520

Bitwarden Server prior to 2026.5.0 is affected by a privilege-escalation vulnerability in the bulk user-remove endpoint. The issue arises from a missing role hierarchy check, allowing authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by supplying...

7.1CVSS5.9AI score0.00354EPSS
CVE
CVE
added 2026/05/11 5:14 p.m.24 views

CVE-2026-43640

Bitwarden Server (affected: v2026.4.1 and earlier) contains an authentication bypass for SCIM API key retrieval/rotation. A logged-in user with SCIM management privileges can obtain the organization's SCIM API key without re-authenticating the master password, exposing sensitive credentials. Root...

8.6CVSS5.8AI score0.00504EPSS
CVE
CVE
added 2026/06/25 7:9 p.m.17 views

CVE-2026-57521

Bitwarden Server (pre-2026.5.0) has a broken access control in PreviewInvoiceController: any authenticated user can supply an arbitrary organizationId to access that organization’s billing data without membership checks. The issue stems from the missing ManageOrganizationBillingRequirement on the...

5.3CVSS6AI score0.00248EPSS
CVE
CVE
added 2026/06/25 7:9 p.m.15 views

CVE-2026-57522

CVE-2026-57522 affects Bitwarden Server prior to 2026.5.0. The vulnerability is a JSON injection in IntegrationTemplateProcessor.ReplaceTokens(), which inserts user-controlled values into event-integration templates without JSON encoding. If an organization uses an event integration whose templat...

5CVSS6AI score0.00262EPSS