OAuth State Parameter Vulnerability in Vaultwarden by Bitwarden
CVE-2026-47158
8.3HIGH
What is CVE-2026-47158?
Vaultwarden, a Bitwarden-compatible password manager server, has a vulnerability in its SSO authorization flow prior to version 1.36.0. This issue allows an unauthenticated attacker to manipulate the OAuth state parameter not bound to the initiating browser session, exploit attacker-controlled PKCE parameters, and retain SsoAuth records post-failed token exchanges. These flaws could facilitate unauthorized IdP authentication, allowing attackers to redeem tokens and gain full access to authenticated sessions. This security concern has been addressed in Vaultwarden version 1.36.0.
Affected Version(s)
vaultwarden < 1.36.0
