PT-2026-52574 · Bitwarden · Server
Sanjok Karki
·
Publicado
2026-06-25
·
Atualizado
2026-06-25
·
CVE-2026-57520
CVSS v3.1
7.1
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L |
Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.
Exploit
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Server