CVE-2026-47158 in Vaultwardeninfo

Summary

by MITRE • 07/15/2026

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO authorization flow did not bind the OAuth state parameter accepted by /connect/authorize to the initiating browser session, allowed attacker-controlled PKCE parameters, and left SsoAuth records intact after failed token exchange, allowing an unauthenticated attacker to induce IdP authentication and redeem tokens for a fully authenticated session. This issue is fixed in version 1.36.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in Vaultwarden versions prior to 1.36.0 represents a critical authorization bypass flaw that undermines the security of the Single Sign-On implementation. This weakness stems from improper handling of OAuth 2.0 state parameters within the /connect/authorize endpoint, which should normally serve as a crucial anti-csrf mechanism by binding authentication requests to specific browser sessions. The failure to properly associate these state parameters with initiating sessions creates an exploitable condition where attackers can manipulate the authentication flow without proper authorization.

The technical flaw manifests through multiple interconnected vulnerabilities that collectively enable session hijacking attacks. First, the OAuth state parameter validation was insufficiently enforced, allowing attackers to bypass the expected state binding mechanism that should prevent cross-site request forgery attacks. Second, the system accepted attacker-controlled Proof Key for Code Exchange parameters, which are designed to enhance security in authorization code flows but become dangerous when arbitrary values can be injected. Third, the persistence of SsoAuth records after failed token exchanges creates a lingering authentication state that can be exploited by malicious actors to complete unauthorized authentication attempts.

This vulnerability directly maps to CWE-384, which addresses Session Fixation vulnerabilities, and aligns with ATT&CK technique T1566 for credential access through social engineering. The operational impact is severe as unauthenticated attackers can leverage this flaw to gain full authenticated access to Vaultwarden accounts without requiring valid credentials or knowledge of user passwords. The attack vector involves诱导 users to initiate authentication flows that can be manipulated by malicious actors, potentially leading to complete account compromise and access to sensitive password vault data.

The security implications extend beyond simple credential theft, as successful exploitation allows attackers to maintain persistent authenticated sessions within the Vaultwarden environment. This creates opportunities for further reconnaissance, lateral movement, and data exfiltration from the compromised accounts. Organizations relying on Vaultwarden for password management face significant risk of unauthorized access to sensitive credentials stored in their password vaults, potentially affecting thousands of user accounts across enterprise environments.

Mitigation strategies should begin with immediate deployment of Vaultwarden version 1.36.0 or later, which addresses all identified vulnerabilities through proper OAuth state parameter binding, validation of PKCE parameters, and cleanup of authentication records after failed exchanges. Additional protective measures include implementing strict session management policies, monitoring for unusual authentication patterns, and ensuring proper network segmentation around the Vaultwarden server. Organizations should also consider enabling additional security controls such as multi-factor authentication to provide defense-in-depth against potential exploitation attempts, while regularly reviewing and updating their authentication system configurations to prevent similar issues in other components of their security infrastructure.

Responsible

GitHub M

Reservation

05/18/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!