CVE-2026-47164 in Vaultwarden
Summary
by MITRE • 07/15/2026
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO login flow checked the IdP email_verified claim only for new-user creation and not when SSO_SIGNUPS_MATCH_EMAIL=true linked an IdP identity to an existing local account, allowing an attacker-controlled IdP identity asserting a victim email address to bind to and authenticate as that account. This issue is fixed in version 1.36.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability in Vaultwarden affects the Single Sign-On authentication flow mechanism that operates within the Bitwarden-compatible server implementation written in rust. This flaw exists specifically in versions prior to 1.36.0 where the system demonstrates inconsistent verification practices during user authentication processes. The core issue manifests when the SSO_SIGNUPS_MATCH_EMAIL configuration parameter is enabled, creating a security gap in the identity linking process between external Identity Provider (IdP) assertions and existing local accounts.
The technical flaw stems from the application's failure to consistently validate the email_verified claim from the Identity Provider throughout all authentication scenarios. During new user creation, Vaultwarden properly checks the IdP's email_verified status, but when linking an existing local account to a new IdP identity through the SSO_SIGNUPS_MATCH_EMAIL functionality, this crucial verification step is omitted. This inconsistency creates an exploitable condition where malicious actors can manipulate IdP responses to assert arbitrary email addresses while maintaining legitimate authentication flows.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass account takeover capabilities. An attacker who controls a malicious IdP can exploit this weakness by asserting a victim's email address in the authentication flow, successfully binding that identity to the victim's existing account and subsequently authenticating as that user. This represents a significant compromise of user identity integrity and potentially leads to unauthorized access to sensitive password vault data and associated services.
This vulnerability aligns with CWE-287 which addresses improper authentication scenarios and specifically relates to insufficient verification of identity assertions during account linking processes. The flaw also maps to ATT&CK technique T1078.004 which covers valid accounts through compromised credentials, as the attack leverages legitimate authentication mechanisms while exploiting weak validation controls. The issue demonstrates poor access control implementation where the system fails to maintain consistent security checks across different authentication pathways.
The mitigation strategy involves upgrading to Vaultwarden version 1.36.0 or later where the fix ensures that the email_verified claim from Identity Providers is consistently validated regardless of whether the authentication flow creates new accounts or links existing ones. Additionally, administrators should review and properly configure SSO_SIGNUPS_MATCH_EMAIL settings in accordance with their security requirements, ensuring that identity verification remains strict across all account linking scenarios to prevent unauthorized account takeover attempts and maintain the integrity of the authentication system.
The vulnerability demonstrates how seemingly minor configuration inconsistencies can create significant security risks in identity management systems. The fix implemented in version 1.36.0 ensures proper validation of external identity assertions during all authentication pathways, maintaining consistent security controls across both new user creation and existing account linking scenarios. This represents a critical improvement in the system's ability to maintain user identity integrity while preserving legitimate SSO functionality for authorized users.