Back to overview

CVE-2026-47158

HIGH
8.3
CVSS 3.1
Description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO authorization flow did not bind the OAuth state parameter accepted by /connect/authorize to the initiating browser session, allowed attacker-controlled PKCE parameters, and left SsoAuth records intact after failed token exchange, allowing an unauthenticated attacker to induce IdP authentication and redeem tokens for a fully authenticated session. This issue is fixed in version 1.36.0.

Metadata

CVE ID
CVE-2026-47158
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-18 21:25 UTC
Published
2026-07-15 15:01 UTC
Last updated
2026-07-15 18:04 UTC
Primary CWE
CWE-352
CWE-352: Cross-Site Request Forgery (CSRF)
Vendor / Product
dani-garcia / vaultwarden
Sources
cve.org  ·  NVD

Severity & Metrics

8.3 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
dani-garcia vaultwarden < 1.36.0
Weakness (CWE)
CWESourceDescription
CWE-352 cna CWE-352: Cross-Site Request Forgery (CSRF)
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.3 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
References (4)
Back to overview