CVE-2026-43639 PUBLISHED

Bitwarden Server < 2026.4.0 Missing Authorization via Provider Clients

Assigner: VulnCheck
Reserved: 01.05.2026 Published: 11.05.2026 Updated: 11.05.2026

Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via POST /providers/{providerId}/clients/existing, resulting in takeover of the target organization; self-hosted installations are unaffected as this endpoint is restricted to Cloud via SelfHosted(NotSelfHostedOnly = true).

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 8.9

Product Status

Vendor bitwarden
Product server
Versions Default: affected
  • affected from 0 to 2026.4.0 (excl.)

Credits

  • Sanjok Karki finder

References

Problem Types

  • Missing Authorization CWE