CVE-2026-47159
Received Received - Intake

SSO Enumeration and JWT Pre-Validation in Vaultwarden

Vulnerability report for CVE-2026-47159, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO discovery and pre-validation flow returned organization-related SSO metadata including organizationIdentifier values for arbitrary email addresses and allowed a valid pre-validation JWT to be obtained with only the discovered identifier, enabling SSO-enabled organization enumeration and authentication workflow abuse. This issue is fixed in version 1.36.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
dani_garcia vaultwarden to 1.35.8 (exc)
dani_garcia vaultwarden 1.36.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-47159 is an information disclosure vulnerability in Vaultwarden's SSO discovery and pre-validation flow. It allows attackers to submit arbitrary email addresses to the SSO verification endpoint and receive organization-related metadata, including organization names and identifiers, even if the email is not linked to any organization. This enables enumeration of SSO-enabled organizations.

Impact Analysis

This vulnerability allows attackers to discover which organizations use SSO with Vaultwarden by submitting email addresses. They can then obtain a valid pre-validation JWT token without proving email ownership, potentially enabling SSO flow abuse, tenant discovery, targeted phishing, or authentication bypasses.

Compliance Impact

This vulnerability may lead to unauthorized disclosure of organizational SSO details, potentially violating data protection requirements under GDPR and HIPAA by exposing internal organization structures or user associations without consent.

Detection Guidance

To detect this vulnerability, monitor SSO-related API endpoints for unusual requests to the SSO discovery or pre-validation flows. Check Vaultwarden logs for repeated requests to /sso/prevalidate or /sso/discovery with arbitrary email addresses. Ensure no unauthorized JWT tokens are generated without proper email verification.

Mitigation Strategies

Immediately upgrade Vaultwarden to version 1.36.0 or later to address the SSO flaws. Disable SSO discovery endpoints if not required. Implement rate limiting on SSO-related API endpoints to prevent enumeration attempts. Review logs for suspicious activity related to SSO pre-validation flows.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47159. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart