Product
A low-privileged Bitwarden organization member can exploit CVE-2026-60104 in Bitwarden Server versions prior to 2026.6.0, which allows an attacker to obtain another user's vault key and access token by creating a Trusted Device Encryption authentication request bound to an attacker-controlled public key, leading to account takeover.