Description
Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.
Published: 2026-06-25
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bitwarden Server versions prior to 2026.5.0 allow an authenticated Custom user who has the ManageUsers permission to remove one or more Admin accounts from an organization. The vulnerability is caused by a missing role hierarchy validation in the bulk user‑remove endpoint, a Role Control weakness identified as CWE‑862, allowing the attacker to supply Admin organization‑user IDs in a bulk DELETE request and bypass the guard that is enforced on the single‑user path. The result is that Admin accounts are effectively removed, reducing the overall authority within the organization and potentially disabling critical administrative functions.

Affected Systems

The affected product is Bitwarden Server. All releases before 2026.5.0 are impacted. No specific sub‑versions are enumerated beyond the stated cutoff.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity risk. The exploit requires the attacker to be an authenticated user with ManageUsers permission, so an attacker with such credentials can perform the privilege escalation. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Therefore, while exploitation is possible, its likelihood depends on user privilege assignments and internal security measures.

Generated by OpenCVE AI on June 25, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bitwarden Server to version 2026.5.0 or later, which removes the role hierarchy check flaw.
  • If an immediate upgrade is not feasible, audit and remove the ManageUsers permission from Custom users or otherwise limit their ability to use the bulk user‑remove API.
  • As a temporary safeguard, block or restrict access to the bulk user‑remove endpoint via an API gateway or firewall so that only trusted, privileged accounts can invoke it.

Generated by OpenCVE AI on June 25, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Bitwarden
Bitwarden server
Vendors & Products Bitwarden
Bitwarden server

Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.
Title Bitwarden Server < 2026.5.0 Privilege Escalation via Bulk User Remove Endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Bitwarden Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T19:08:41.189Z

Reserved: 2026-06-24T15:58:58.537Z

Link: CVE-2026-57520

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:15:04Z

Weaknesses