{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/bitwarden-server--2026.6.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-60104"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Bitwarden Server \u003c 2026.6.0"],"_cs_severities":["high"],"_cs_tags":["vulnerability","cve","account-takeover","credential-access","data-disclosure","bitwarden"],"_cs_type":"advisory","_cs_vendors":["Bitwarden"],"content_html":"\u003cp\u003eCVE-2026-60104 impacts Bitwarden Server versions prior to 2026.6.0, presenting a critical vulnerability that allows low-privileged organization members to compromise other users' accounts. The flaw exists because the server fails to verify the email address provided in a \u003ccode\u003ePOST /auth-requests/admin-request\u003c/code\u003e body belongs to the authenticated caller. An attacker can leverage this oversight to initiate a Trusted Device Encryption authentication request for a victim, binding it to a public key controlled by the attacker. Once this request is approved by the victim, the authentication details, including the victim's vault key and a victim-scoped access token, become readable from an unauthenticated endpoint. This ultimately leads to the disclosure of sensitive credentials and allows for a complete account takeover of the targeted user. This vulnerability highlights the importance of rigorous identity verification in API endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA low-privileged organization member, acting as an attacker, authenticates to the Bitwarden server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/auth-requests/admin-request\u003c/code\u003e API endpoint.\u003c/li\u003e\n\u003cli\u003eThe request body of this \u003ccode\u003ePOST\u003c/code\u003e call contains the victim's email address and an attacker-controlled public key, intended to initiate a Trusted Device Encryption authentication request for the victim.\u003c/li\u003e\n\u003cli\u003eThe Bitwarden Server, vulnerable to CVE-2026-60104, processes this request without verifying that the email in the request body belongs to the authenticated caller.\u003c/li\u003e\n\u003cli\u003eThe victim receives and approves the fraudulent Trusted Device Encryption authentication request initiated by the attacker.\u003c/li\u003e\n\u003cli\u003eUpon approval, the authentication request details, including the victim's vault key and a victim-scoped access token, become accessible from an unauthenticated endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the victim's vault key and access token from the publicly accessible endpoint.\u003c/li\u003e\n\u003cli\u003eUsing the stolen vault key and access token, the attacker performs an account takeover of the victim's Bitwarden account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-60104 results in the complete compromise of a targeted Bitwarden user's account. This includes the disclosure of the victim's highly sensitive vault key, which grants access to all stored passwords and secure notes. Additionally, an access token is compromised, allowing an attacker to impersonate the victim within the Bitwarden ecosystem. The impact is significant for any organization utilizing Bitwarden Server versions prior to 2026.6.0, as any low-privileged organization member could theoretically target higher-privileged users or other members, leading to widespread credential exposure and unauthorized access to critical corporate data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Bitwarden Server to version 2026.6.0 or later to patch CVE-2026-60104.\u003c/li\u003e\n\u003cli\u003eReview all API endpoint configurations, especially those handling authentication and credential management, to ensure robust identity verification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T20:20:43Z","date_published":"2026-07-08T20:20:43Z","id":"https://feed.craftedsignal.io/briefs/2026-07-bitwarden-vault-key-disclosure/","summary":"A low-privileged Bitwarden organization member can exploit CVE-2026-60104 in Bitwarden Server versions prior to 2026.6.0, which allows an attacker to obtain another user's vault key and access token by creating a Trusted Device Encryption authentication request bound to an attacker-controlled public key, leading to account takeover.","title":"CVE-2026-60104 - Bitwarden Server Vault Key Disclosure and Account Takeover","url":"https://feed.craftedsignal.io/briefs/2026-07-bitwarden-vault-key-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed - Bitwarden Server \u003c 2026.6.0","version":"https://jsonfeed.org/version/1.1"}