External risk intelligence

Bitwarden Server Authorization Bypass Allows Vault Key and Token Disclosure

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-60104

Bitwarden is a password management platform commonly deployed as an internet-facing service or identity portal. The vulnerability exists in a web-based authentication endpoint that is designed to be accessible to users over the network to facilitate device authentication and vault access, making the affected interface a core, public-facing component of the product's normal operation.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Bitwarden Server could allow a low-privileged user to gain access to another user's vault key and account by exploiting how authentication requests are handled. This could lead to unauthorized access to sensitive information stored in the compromised vault.

  • A low-privilege user can steal vault keys.
  • Sensitive vault data access is exposed.
  • Confirm relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker with low-privileged access within an organization can initiate a process to trick the server into revealing a victim's vault key and granting account takeover. This is achieved by submitting an authentication request for a trusted device, where the server fails to confirm that the email address in the request matches the authenticated user, allowing the attacker to associate an attacker-controlled public key and ultimately gain access to sensitive vault data.

  • Network access and low organization privileges required.
  • Create a trusted device encryption request.
  • Leads to vault key disclosure and account takeover.

Live Threat

Current exploitation, exposure, and threat context

A low-privileged organization member could obtain another user's vault key and a victim-scoped access token when supported by the advisory. This could lead to a disclosure of the victim's vault key and potential account takeover.

  • Victim's vault key and access token.
  • Creating a trusted device encryption request.
  • Account takeover and vault data exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Bitwarden Server vulnerability impacts applications where users can initiate admin authentication requests, potentially leading to vault data exposure and account takeover. Owners of the Bitwarden application, along with the infrastructure or platform teams managing its deployment, are likely responsible for addressing this. The immediate first step is to identify all instances of the affected Bitwarden Server, determine their reachability and business criticality, and then assign ownership for remediation planning based on assessed risk.

  • Identify and confirm affected Bitwarden instances.
  • Verify owner and assess exposure and criticality.
  • Plan and execute remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Bitwarden Server and how is it used?

Bitwarden Server is the backend software platform that powers a password management service. It manages user accounts, handles encrypted vault synchronization across devices, and facilitates secure authentication processes. Organizations often deploy it to provide centralized credential storage and identity management for their employees.

What does CWE-639 mean for CVE-2026-60104?

CWE-639 refers to an Authorization Bypass Through User-Controlled Key. In this specific case, the server fails to verify that an email address in an authentication request matches the person actually sending it. Because the system trusts the request content without proper validation, an attacker can manipulate this process to access data they are not authorized to see.

Does any action trigger this vulnerability?

Yes, an attacker must hold at least low-privileged organization access to initiate a specific Trusted Device Encryption request. Simply visiting the login page or having an account is not enough; the attacker must deliberately craft an authentication request that points to a victim's email while substituting their own encryption key to intercept the vault data.

Why does Halo Surface Signal flag this as high relevance?

Halo Surface Signal notes that Bitwarden Server is typically deployed as an internet-facing identity portal. Because this flaw exists in a web-based endpoint designed for legitimate device authentication, the interface is inherently reachable over the network. This accessibility increases the likelihood that an attacker could reach the vulnerable component from outside the local network.

How do I secure my Bitwarden Server instances?

The first step is to locate all instances of Bitwarden Server within your environment and check their version numbers. If your server is running a version older than 2026.6.0, you are affected. You should immediately assign ownership of these systems to your infrastructure team to plan and apply the necessary software updates to reach the secure version.

References