Bitwarden
Products
3- 6 CVEs
- 3 CVEs
- 1 CVE
Recent CVEs
9| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42994 | Cri | 0.64 | 9.8 | 0.00 | May 1, 2026 | Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, when obtained from npm, had embedded malicious code. This is related to a Checkmarx supply chain incident. | ||
| CVE-2026-43640 | Hig | 0.46 | 8.1 | 0.01 | May 11, 2026 | Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session. | ||
| CVE-2026-43639 | Hig | 0.45 | 8.0 | 0.01 | May 11, 2026 | Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization;… | ||
| CVE-2026-43638 | Med | 0.28 | 5.4 | 0.00 | May 11, 2026 | Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collections` array, which causes the server-side… | ||
| CVE-2025-5138 | Low | 0.23 | 3.5 | 0.00 | May 25, 2025 | A vulnerability was found in Bitwarden up to 2.25.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The… | ||
| CVE-2023-27974 | 0.00 | — | 0.01 | Mar 8, 2023 | Bitwarden through 2023.2.1 offers password auto-fill when the second-level domain matches, e.g., a password stored for an example.com hosting provider when customer-website.example.com is visited. NOTE: the vendor's position is that "Auto-fill on page load" is not enabled by… | |||
| CVE-2018-25081 | 0.00 | — | 0.01 | Mar 8, 2023 | Bitwarden through 2023.2.1 offers password auto-fill within a cross-domain IFRAME element. NOTE: the vendor's position is that there have been important legitimate cross-domain configurations (e.g., an apple.com IFRAME element on the icloud.com website) and that "Auto-fill on… | |||
| CVE-2020-15879 | 0.00 | — | 0.03 | Jul 21, 2020 | Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8, and 169.254.0.0/16). | |||
| CVE-2019-19766 | 0.00 | — | 0.01 | Dec 12, 2019 | The Bitwarden server through 1.32.0 has a potentially unwanted KDF. |
- risk 0.64cvss 9.8epss 0.00
Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, when obtained from npm, had embedded malicious code. This is related to a Checkmarx supply chain incident.
- risk 0.46cvss 8.1epss 0.01
Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.
- risk 0.45cvss 8.0epss 0.01
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization;…
- risk 0.28cvss 5.4epss 0.00
Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collections` array, which causes the server-side…
- risk 0.23cvss 3.5epss 0.00
A vulnerability was found in Bitwarden up to 2.25.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The…
- CVE-2023-27974Mar 8, 2023risk 0.00cvss —epss 0.01
Bitwarden through 2023.2.1 offers password auto-fill when the second-level domain matches, e.g., a password stored for an example.com hosting provider when customer-website.example.com is visited. NOTE: the vendor's position is that "Auto-fill on page load" is not enabled by…
- CVE-2018-25081Mar 8, 2023risk 0.00cvss —epss 0.01
Bitwarden through 2023.2.1 offers password auto-fill within a cross-domain IFRAME element. NOTE: the vendor's position is that there have been important legitimate cross-domain configurations (e.g., an apple.com IFRAME element on the icloud.com website) and that "Auto-fill on…
- CVE-2020-15879Jul 21, 2020risk 0.00cvss —epss 0.03
Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8, and 169.254.0.0/16).
- CVE-2019-19766Dec 12, 2019risk 0.00cvss —epss 0.01
The Bitwarden server through 1.32.0 has a potentially unwanted KDF.