PatchSiren cyber security CVE debrief
CVE-2026-60104 bitwarden CVE debrief
CVE-2026-60104 is a critical vulnerability in Bitwarden Server before version 2026.6.0. The issue allows a low-privileged organization member to obtain another user's vault key and a victim-scoped access token. This is achieved by creating a Trusted Device Encryption authentication request bound to an attacker-controlled public key. The request is readable from an unauthenticated endpoint once approved, resulting in the disclosure of the victim's vault key and potential account takeover.
- Vendor
- bitwarden
- Product
- server
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Users of Bitwarden Server, especially those with low-privileged organization members, should be aware of this vulnerability. Immediate action is recommended to upgrade to version 2026.6.0 or later to mitigate the risk.
Technical summary
The vulnerability exists in the authentication request handling of Bitwarden Server. Specifically, the server does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller. This oversight allows an attacker to create a Trusted Device Encryption authentication request bound to their public key. Once approved, the request is accessible via an unauthenticated endpoint, enabling the attacker to obtain the victim's vault key and a victim-scoped access token. This could lead to unauthorized access to sensitive information and potential account takeover.
Defensive priority
High
Recommended defensive actions
- Upgrade Bitwarden Server to version 2026.6.0 or later
- Review and restrict access to the /auth-requests/admin-request endpoint
- Monitor for suspicious activity related to authentication requests
- Implement additional logging and monitoring for low-privileged organization members' activities
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
The CVE record was published on 2026-07-08T20:17:00.413Z and was last modified on 2026-07-10T18:01:31.563Z. The NVD entry is currently Awaiting Analysis. Multiple sources, including GitHub commits, pull requests, and release notes, as well as a blog post and a vulnerability advisory, provide context for this vulnerability.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T20:17:00.413Z and has not been modified since then.