CVE-2026-47158 PUBLISHED

Vaultwarden: CSRF in SSO Authorization Flow

Assigner: GitHub_M
Reserved: 18.05.2026 Published: 15.07.2026 Updated: 15.07.2026

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO authorization flow did not bind the OAuth state parameter accepted by /connect/authorize to the initiating browser session, allowed attacker-controlled PKCE parameters, and left SsoAuth records intact after failed token exchange, allowing an unauthenticated attacker to induce IdP authentication and redeem tokens for a fully authenticated session. This issue is fixed in version 1.36.0.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
CVSS Score: 8.3

Product Status

Vendor dani-garcia
Product vaultwarden
Versions
  • Version < 1.36.0 is affected

References

Problem Types

  • CWE-352: Cross-Site Request Forgery (CSRF) CWE