Bitwarden Server < 2026.5.0 Privilege Escalation via Bulk User Remove Endpoint

Advisories

severity: high
date: 6/25/2026
Affecting: server < 2026.5.0
CVE: CVE-2026-57520
CWE: CWE-862 Missing Authorization
CVSS: 7.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
References: https://sanjokkarki.com.np/blog/bitwarden-bulk-remove-admin
https://github.com/bitwarden/server/releases/tag/v2026.5.0
https://github.com/bitwarden/server/pull/7526
https://github.com/bitwarden/server/commit/901bb67157c0f80d369c40b76742fdf7623da4e4
Credit: Sanjok Karki
Description: Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo