CVE-2026-47164
HIGH
7.7
CVSS 3.1
Description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO login flow checked the IdP email_verified claim only for new-user creation and not when SSO_SIGNUPS_MATCH_EMAIL=true linked an IdP identity to an existing local account, allowing an attacker-controlled IdP identity asserting a victim email address to bind to and authenticate as that account. This issue is fixed in version 1.36.0.
Metadata
Severity & Metrics
7.7
HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| dani-garcia | vaultwarden | — | < 1.36.0 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-284 | cna | CWE-284: Improper Access Control |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.7 | HIGH | 3.1 | cna | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L |
References (4)
- https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-6x5c-84vm-5j56 https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-6x5c-84vm-5j56
- https://github.com/dani-garcia/vaultwarden/pull/7163 https://github.com/dani-garcia/vaultwarden/pull/7163
- https://github.com/dani-garcia/vaultwarden/commit/d297e274a35dccd0f5d935e9d5934e0f7e9c0a87 https://github.com/dani-garcia/vaultwarden/commit/d297e274a35dccd0f5d935e9d5934e0f7e9c0a87
- https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0 https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0