OAuth State Parameter Vulnerability in Vaultwarden by Bitwarden
CVE-2026-47158

8.3HIGH

Key Information:

Vendor
CVE Published:
15 July 2026

What is CVE-2026-47158?

Vaultwarden, a Bitwarden-compatible password manager server, has a vulnerability in its SSO authorization flow prior to version 1.36.0. This issue allows an unauthenticated attacker to manipulate the OAuth state parameter not bound to the initiating browser session, exploit attacker-controlled PKCE parameters, and retain SsoAuth records post-failed token exchanges. These flaws could facilitate unauthorized IdP authentication, allowing attackers to redeem tokens and gain full access to authenticated sessions. This security concern has been addressed in Vaultwarden version 1.36.0.

Affected Version(s)

vaultwarden < 1.36.0

References

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.