CVE-2026-57520

CVE-2026-57520CVE-2026-57520

Description

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.

Scoring

CVSS 7.1 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Last modified2026-06-25
Sourced from NVD. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.