← back
CVE-2026-57520

Bitwarden Server < 2026.5.0 Privilege Escalation via Bulk User Remove Endpoint

CVSS 7.1 HIGHEPSS 0.3%CWE-862
Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Affected products
bitwarden · server
public PoCs found1
cve_referencesanjokkarki.com.np/blog/bitwarden-bulk-remove-adminunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/bitwarden/server/commit/901bb67157c0f80d369c40b76742fdf7623da4e4https://github.com/bitwarden/server/pull/7526https://github.com/bitwarden/server/releases/tag/v2026.5.0https://sanjokkarki.com.np/blog/bitwarden-bulk-remove-adminhttps://www.vulncheck.com/advisories/bitwarden-server-privilege-escalation-via-bulk-user-remove-endpoint