CVE-2026-57520
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk19th percentile - higher than 19% of all known CVEs
Summary
A privilege escalation vulnerability in Bitwarden Server before 2026.5.0 allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization. This is due to a missing role hierarchy check in the bulk user-remove endpoint.
Risk Assessment
An attacker can remove all administrators from an organization, leading to full control over the organization and loss of access for legitimate users.
Recommendation
Immediately update Bitwarden Server to version 2026.5.0 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.

