CVE-2023-27706 in Bitwardeninfo

Summary

by MITRE • 06/09/2023

Bitwarden Desktop v1.20.0 and above stores the biometric key in plaintext which allows a local attacker to decrypt the entire local vault.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 11/21/2025

The vulnerability identified as CVE-2023-27706 represents a critical security flaw in Bitwarden Desktop applications version 1.20.0 and later. This issue specifically addresses how the software handles biometric authentication data, creating a significant risk for users who rely on fingerprint or facial recognition for vault access. The flaw stems from the application's improper handling of biometric keys, which are stored in plaintext format rather than being properly encrypted or protected. This design decision fundamentally undermines the security model that users expect when implementing biometric authentication as part of their password management strategy.

The technical implementation of this vulnerability involves the desktop application's storage mechanism for biometric authentication data. When users configure biometric login for their Bitwarden vault, the system generates a biometric key that serves as the cryptographic material needed to unlock the encrypted vault. However, instead of storing this key in an encrypted format with proper access controls, the application persists it in plain text within the local filesystem. This plaintext storage creates a persistent exposure point where any local attacker with access to the system can directly retrieve the biometric key without requiring additional authentication or cryptographic attacks. The flaw essentially transforms what should be a secure multi-factor authentication mechanism into a trivial attack vector.

The operational impact of this vulnerability extends beyond simple local privilege escalation. Any attacker with local system access can immediately decrypt the entire Bitwarden vault, gaining access to all stored passwords, sensitive credentials, and confidential information without requiring additional authentication factors. This represents a complete bypass of the intended security controls, as the biometric key serves as the primary means of vault access. The vulnerability affects all users who have configured biometric authentication, creating a widespread risk across all Bitwarden Desktop installations that have been updated to version 1.20.0 or later. The implications are particularly severe for users who store highly sensitive information in their vaults, as the compromise of a single local system can lead to complete exposure of all stored credentials.

This vulnerability aligns with CWE-312, which specifically addresses the exposure of sensitive information through improper handling of data. The flaw demonstrates a clear violation of secure coding practices regarding credential storage and encryption. From an attack perspective, this vulnerability maps to several ATT&CK techniques including T1566 for credential access and T1070 for indicator removal. The local attacker can leverage this weakness to establish persistent access to sensitive information without detection, as the plaintext storage does not require additional cryptographic attacks or complex exploitation techniques. Security professionals should note that this vulnerability represents a fundamental design flaw in the application's security architecture, where the protection of authentication keys is insufficiently implemented. The recommended mitigation strategy involves immediate patching of the Bitwarden Desktop application to version 2.0.0 or later, where the biometric key storage has been properly secured using appropriate encryption mechanisms and access controls. Additionally, users should consider disabling biometric authentication until the vulnerability is fully resolved and the application has been verified to properly protect authentication keys through secure storage mechanisms.

Reservation

03/05/2023

Disclosure

06/09/2023

Moderation

accepted

CPE

ready

EPSS

0.00585

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!