CVE-2026-60104
Received Received - Intake

Authentication Bypass in Bitwarden Server

Vulnerability report for CVE-2026-60104, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryption authentication request, bound to an attacker-controlled public key, that is readable from an unauthenticated endpoint once approved resulting in disclosure of the victim's vault key and account takeover.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bitwarden server to 2026.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-60104 is a critical authorization bypass vulnerability in Bitwarden Server versions before 2026.6.0.

The vulnerability occurs because the server does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller.

This flaw allows a low-privileged organization member to create a Trusted Device Encryption authentication request bound to an attacker-controlled public key.

Once this request is approved, it can be read from an unauthenticated endpoint, enabling the attacker to obtain another user's vault key and a victim-scoped access token.

This results in disclosure of the victim's vault key and potential account takeover.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive user data.

An attacker with low privileges within an organization can exploit this flaw to obtain another user's vault key and access token.

This leads to disclosure of confidential vault data and allows the attacker to take over the victim's account.

Such an account takeover can compromise the security and privacy of the victim's stored credentials and secrets.

Detection Guidance

This vulnerability involves unauthorized creation of Trusted Device Encryption authentication requests via the POST /auth-requests/admin-request endpoint, which can be read from an unauthenticated endpoint once approved.

To detect exploitation attempts on your system or network, you should monitor for unusual POST requests to /auth-requests/admin-request, especially those where the email in the request body does not belong to the authenticated user.

Commands to help detect suspicious activity could include inspecting web server logs or API request logs for such POST requests. For example, using grep on server logs:

  • grep 'POST /auth-requests/admin-request' /var/log/bitwarden/access.log
  • grep -i 'email' /var/log/bitwarden/access.log | grep 'auth-requests/admin-request'

Additionally, monitoring for requests approved that result in vault key disclosures or unexpected access token issuance could be done by auditing authentication logs or API responses if available.

Mitigation Strategies

The primary mitigation step is to upgrade Bitwarden Server to version 2026.6.0 or later, where the vulnerability has been fixed.

The fix includes validation to ensure that the email in the POST /auth-requests/admin-request body belongs to the authenticated caller, preventing unauthorized creation of Trusted Device Encryption authentication requests.

Until the upgrade can be applied, consider restricting access to the affected endpoint and monitoring for suspicious activity as described.

Compliance Impact

The vulnerability allows a low-privileged organization member to obtain another user's vault key and a victim-scoped access token, leading to disclosure of sensitive user data and potential account takeover.

Such unauthorized disclosure and access to personal data could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Specifically, the exposure of vault keys and access tokens may violate principles of data confidentiality and integrity mandated by these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-60104. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart