PT-2026-60204 · Dani Garcia · Vaultwarden
Published
2026-07-15
·
Updated
2026-07-15
·
CVE-2026-47164
CVSS v3.1
7.7
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L |
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO login flow checked the IdP email verified claim only for new-user creation and not when SSO SIGNUPS MATCH EMAIL=true linked an IdP identity to an existing local account, allowing an attacker-controlled IdP identity asserting a victim email address to bind to and authenticate as that account. This issue is fixed in version 1.36.0.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vaultwarden