Server
by Bitwarden
Source repositories
CVEs (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-43640 | Hig | 0.46 | 8.1 | 0.01 | May 11, 2026 | Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session. | ||
| CVE-2026-43639 | Hig | 0.45 | 8.0 | 0.01 | May 11, 2026 | Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization;… | ||
| CVE-2026-43638 | Med | 0.28 | 5.4 | 0.00 | May 11, 2026 | Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collections` array, which causes the server-side… | ||
| CVE-2025-5138 | Low | 0.23 | 3.5 | 0.00 | May 25, 2025 | A vulnerability was found in Bitwarden up to 2.25.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The… | ||
| CVE-2020-15879 | 0.00 | — | 0.03 | Jul 21, 2020 | Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8, and 169.254.0.0/16). | |||
| CVE-2019-19766 | 0.00 | — | 0.01 | Dec 12, 2019 | The Bitwarden server through 1.32.0 has a potentially unwanted KDF. |
- risk 0.46cvss 8.1epss 0.01
Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.
- risk 0.45cvss 8.0epss 0.01
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization;…
- risk 0.28cvss 5.4epss 0.00
Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collections` array, which causes the server-side…
- risk 0.23cvss 3.5epss 0.00
A vulnerability was found in Bitwarden up to 2.25.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The…
- CVE-2020-15879Jul 21, 2020risk 0.00cvss —epss 0.03
Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8, and 169.254.0.0/16).
- CVE-2019-19766Dec 12, 2019risk 0.00cvss —epss 0.01
The Bitwarden server through 1.32.0 has a potentially unwanted KDF.