SSO Authentication Vulnerability in Vaultwarden by Bitwarden
CVE-2026-47164

7.7HIGH

Key Information:

Vendor
CVE Published:
15 July 2026

What is CVE-2026-47164?

A vulnerability in Vaultwarden's SSO login flow allowed for improper email verification checks when linking an identity provider (IdP) account to an existing local account. Specifically, prior to version 1.36.0, the email_verified claim from the IdP was only validated during new user registration. This oversight enabled an attacker using a compromised IdP identity to associate their own email address with an existing user account, allowing unauthorized access. This issue has been addressed in version 1.36.0, which reinforces proper email verification during SSO sign-ins, enhancing the security posture for users.

Affected Version(s)

vaultwarden < 1.36.0

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.