Authorization Bypass in Bitwarden Server Exposes Vault Keys
CVE-2026-60104
Key Information:
Badges
What is CVE-2026-60104?
A vulnerability in Bitwarden Server prior to version 2026.6.0 allows a low-privileged member of an organization to exploit the authentication request process. By creating a Trusted Device Encryption request using an attacker-controlled public key, the malicious actor can obtain another user's vault key and a victim-specific access token. This information can be accessed through an unauthenticated endpoint once the request is approved, leading to unauthorized disclosure of sensitive vault data and potential account takeover.
Affected Version(s)
server 0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
