Bug 2500996 (CVE-2026-47164) - CVE-2026-47164 vaultwarden: Vaultwarden: Account takeover via SSO email auto-linking vulnerability
Summary: CVE-2026-47164 vaultwarden: Vaultwarden: Account takeover via SSO email auto-...
Keywords:
Status: NEW
Alias: CVE-2026-47164
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-15 16:01 UTC by OSIDB Bzimport
Modified: 2026-07-15 17:09 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-15 16:01:36 UTC
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO login flow checked the IdP email_verified claim only for new-user creation and not when SSO_SIGNUPS_MATCH_EMAIL=true linked an IdP identity to an existing local account, allowing an attacker-controlled IdP identity asserting a victim email address to bind to and authenticate as that account. This issue is fixed in version 1.36.0.


Note You need to log in before you can comment on or make changes to this bug.