Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-57520
PUBLISHED
More InfoOfficial Page
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
View Known Exploited Vulnerability (KEV) details
Published At-25 Jun, 2026 | 19:08
Updated At-30 Jun, 2026 | 03:30
Rejected At-
▼CVE Numbering Authority (CNA)
Bitwarden Server < 2026.5.0 Privilege Escalation via Bulk User Remove Endpoint

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.

Affected Products
Vendor
bitwarden
Product
server
Repo
https://github.com/bitwarden/server
Default Status
affected
Versions
Affected
  • From 0 before 2026.5.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: Missing Authorization
Metrics
VersionBase scoreBase severityVector
4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
3.17.1HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Sanjok Karki
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://sanjokkarki.com.np/blog/bitwarden-bulk-remove-admin
technical-description
exploit
https://github.com/bitwarden/server/releases/tag/v2026.5.0
release-notes
https://github.com/bitwarden/server/pull/7526
issue-tracking
https://github.com/bitwarden/server/commit/901bb67157c0f80d369c40b76742fdf7623da4e4
patch
https://www.vulncheck.com/advisories/bitwarden-server-privilege-escalation-via-bulk-user-remove-endpoint
third-party-advisory
Hyperlink: https://sanjokkarki.com.np/blog/bitwarden-bulk-remove-admin
Resource:
technical-description
exploit
Hyperlink: https://github.com/bitwarden/server/releases/tag/v2026.5.0
Resource:
release-notes
Hyperlink: https://github.com/bitwarden/server/pull/7526
Resource:
issue-tracking
Hyperlink: https://github.com/bitwarden/server/commit/901bb67157c0f80d369c40b76742fdf7623da4e4
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/bitwarden-server-privilege-escalation-via-bulk-user-remove-endpoint
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Details not found