CVE-2026-60104 - Bitwarden Server Vault Key Disclosure and Account Takeover
A low-privileged Bitwarden organization member can exploit CVE-2026-60104 in Bitwarden Server versions prior to 2026.6.0, which allows an attacker to obtain another user's vault key and access token by creating a Trusted Device Encryption authentication request bound to an attacker-controlled public key, leading to account takeover.
CVE-2026-60104 impacts Bitwarden Server versions prior to 2026.6.0, presenting a critical vulnerability that allows low-privileged organization members to compromise other users' accounts. The flaw exists because the server fails to verify the email address provided in a POST /auth-requests/admin-request body belongs to the authenticated caller. An attacker can leverage this oversight to initiate a Trusted Device Encryption authentication request for a victim, binding it to a public key controlled by the attacker. Once this request is approved by the victim, the authentication details, including the victim's vault key and a victim-scoped access token, become readable from an unauthenticated endpoint. This ultimately leads to the disclosure of sensitive credentials and allows for a complete account takeover of the targeted user. This vulnerability highlights the importance of rigorous identity verification in API endpoints.
Attack Chain
- A low-privileged organization member, acting as an attacker, authenticates to the Bitwarden server.
- The attacker sends a
POSTrequest to the/auth-requests/admin-requestAPI endpoint. - The request body of this
POSTcall contains the victim's email address and an attacker-controlled public key, intended to initiate a Trusted Device Encryption authentication request for the victim. - The Bitwarden Server, vulnerable to CVE-2026-60104, processes this request without verifying that the email in the request body belongs to the authenticated caller.
- The victim receives and approves the fraudulent Trusted Device Encryption authentication request initiated by the attacker.
- Upon approval, the authentication request details, including the victim's vault key and a victim-scoped access token, become accessible from an unauthenticated endpoint.
- The attacker retrieves the victim's vault key and access token from the publicly accessible endpoint.
- Using the stolen vault key and access token, the attacker performs an account takeover of the victim's Bitwarden account.
Impact
Successful exploitation of CVE-2026-60104 results in the complete compromise of a targeted Bitwarden user's account. This includes the disclosure of the victim's highly sensitive vault key, which grants access to all stored passwords and secure notes. Additionally, an access token is compromised, allowing an attacker to impersonate the victim within the Bitwarden ecosystem. The impact is significant for any organization utilizing Bitwarden Server versions prior to 2026.6.0, as any low-privileged organization member could theoretically target higher-privileged users or other members, leading to widespread credential exposure and unauthorized access to critical corporate data.
Recommendation
- Immediately upgrade Bitwarden Server to version 2026.6.0 or later to patch CVE-2026-60104.
- Review all API endpoint configurations, especially those handling authentication and credential management, to ensure robust identity verification.