cvedb.io
CVE-2026-57520
HIGH · CVSS 7.1
EPSS exploitation probability: 0%
Published 2026-06-25T20:17:17.020 · Last modified 2026-06-30T05:19:58.910

Summary

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.

Affected products

bitwarden — server

Does this affect you?

Add your gear to cvedb and we'll alert you only when bitwarden ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.