CVE-2026-60104
Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated cal
CVSS
8.7
High
EPSS
0.2%
p8
KEV
—
Exploit Today
3
0-100
Published: Jul 8, 2026 · Last modified: Jul 14, 2026 · CWE-639
0.2%EPSS · 30 days0.2%
2026-07-092026-07-17
Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryption authentication request, bound to an attacker-controlled public key, that is readable from an unauthenticated endpoint once approved resulting in disclosure of the victim's vault key and account takeover.
- github.comhttps://github.com/bitwarden/server/commit/dcf4c486b2b5bedecc03a48b427243328cc74a9a
- github.comhttps://github.com/bitwarden/server/pull/7615
- github.comhttps://github.com/bitwarden/server/releases#release-v2026.6.0
- sanjokkarki.com.nphttps://sanjokkarki.com.np/blog/bitwarden-vault-key-heist
- www.vulncheck.comhttps://www.vulncheck.com/advisories/bitwarden-server-authorization-bypass-via-admin-auth-request
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-552558.4 HIG42.8%
KEV—63Langflow Authorization Bypass Through User-Controlled Key Vulnerability10dCVE-2021-464168.1 HIG89.9%
——27Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling.4dCVE-2022-289867.5 HIG80.8%
——24LMS Doctor Simple 2 Factor Authentication Plugin For Moodle Affected: 2021072900 has an Insecure direct object references (IDOR) vulnerability, which allows remote attackers to update sensitive records such as email, password and phone number of other user accounts.9dCVE-2020-234465.3 MED65.5%
——20Verint Workforce Optimization suite 15.1 (15.1.0.37634) has Unauthenticated Information Disclosure via API9dCVE-2021-33806.5 MED61.5%
——18Insecure direct object reference (IDOR) vulnerability in ICREM H8 SSRMS allows attackers to disclose sensitive information via the Print Invoice Functionality.9dCVE-2022-362029.8 CRI51.5%
——15Doctor's Appointment System1.0 is vulnerable to Incorrect Access Control via edoc/patient/settings.php. The settings.php is affected by Broken Access Control (IDOR) via id= parameter.9d