SSO Authentication Vulnerability in Vaultwarden by Bitwarden
CVE-2026-47164
7.7HIGH
What is CVE-2026-47164?
A vulnerability in Vaultwarden's SSO login flow allowed for improper email verification checks when linking an identity provider (IdP) account to an existing local account. Specifically, prior to version 1.36.0, the email_verified claim from the IdP was only validated during new user registration. This oversight enabled an attacker using a compromised IdP identity to associate their own email address with an existing user account, allowing unauthorized access. This issue has been addressed in version 1.36.0, which reinforces proper email verification during SSO sign-ins, enhancing the security posture for users.
Affected Version(s)
vaultwarden < 1.36.0
