Server-Side Request Forgery in Vaultwarden Product by Bitwarden
CVE-2026-47160

5.8MEDIUM

Key Information:

Vendor
CVE Published:
15 July 2026

What is CVE-2026-47160?

Vaultwarden, a Bitwarden-compatible server implemented in Rust, is susceptible to a Server-Side Request Forgery (SSRF) due to insufficient checks in its icon-fetching mechanism before version 1.36.0. The vulnerabilities in the /icons/{domain}/icon.png endpoint involve certain checks that fail to block decimal, hexadecimal, and octal IP formats. This oversight allows for the potential exploitation of internal network and port discovery, posing significant security risks. This issue was addressed in the release of version 1.36.0, which implemented necessary safeguards to prevent this exploit.

Affected Version(s)

vaultwarden < 1.36.0

References

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.