https://nvd.nist.gov/vuln/detail/CVE-2023-27706
Bitwarden Desktop v1.20.0 and above stores the biometric key in plaintext which allows a local attacker to decrypt the entire local vault if you are using Windows Hello and are not on the latest version. The Bitwarden Windows client before version 2023.4.0 is affected.
Details here: https://hackerone.com/reports/1874155
(shamelessly stolen from reddit)
Only possible if you enable bio auth but the more worrying is the token isn’t destroyed even after the application is closed. Eek