CVE Catalog

CVE-2026-57520

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

19th percentile - higher than 19% of all known CVEs

Summary

A privilege escalation vulnerability in Bitwarden Server before 2026.5.0 allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization. This is due to a missing role hierarchy check in the bulk user-remove endpoint.

Risk Assessment

An attacker can remove all administrators from an organization, leading to full control over the organization and loss of access for legitimate users.

Recommendation

Immediately update Bitwarden Server to version 2026.5.0 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS