CVE-2026-43640
- EPSS 0.5%
- Veröffentlicht 11.05.2026 18:16:37
- Zuletzt bearbeitet 16.05.2026 03:04:58
Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid ses...
CVE-2026-43638
- EPSS 0.19%
- Veröffentlicht 11.05.2026 18:16:36
- Zuletzt bearbeitet 16.05.2026 02:55:54
Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collections` array, ...
CVE-2026-43639
- EPSS 0.6%
- Veröffentlicht 11.05.2026 18:16:36
- Zuletzt bearbeitet 16.05.2026 03:04:41
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of th...
CVE-2020-15879
- EPSS 2.7%
- Veröffentlicht 21.07.2020 17:15:12
- Zuletzt bearbeitet 21.11.2024 05:06:21
Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8, and 169.254.0.0/16).
CVE-2019-19766
- EPSS 1.35%
- Veröffentlicht 12.12.2019 19:15:21
- Zuletzt bearbeitet 21.11.2024 04:35:20
The Bitwarden server through 1.32.0 has a potentially unwanted KDF.