Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.9
CVE-2026-43639: Bitwarden Server Missing Authorization Allows Organization Takeover
CVE-2026-43639
Summary
A vulnerability in Bitwarden Server versions prior to 2026.4.0 allows a malicious user to take control of an organization. This affects cloud-hosted installations of Bitwarden Server, but not self-hosted versions. To fix this issue, update to version 2026.4.0 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| bitwarden | server |
< 2026.4.0 cpe:2.3:a:bitwarden:server:*:*:*:*:*:*:*:* |
Original title
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{provi...
Original description
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization; self-hosted installations are unaffected as this endpoint is restricted to Cloud via SelfHosted(NotSelfHostedOnly = true).
nvd CVSS3.1
8.0
nvd CVSS4.0
8.9
Vulnerability type
CWE-862
Missing Authorization
- https://github.com/bitwarden/server/commit/0918bfdda6f5eec391c69bd9074f6aef4eac0...
- https://github.com/bitwarden/server/pull/7372
- https://github.com/bitwarden/server/releases/tag/v2026.4.0
- https://sanjokkarki.com.np/blog/bitwarden-provider-takeover
- https://www.vulncheck.com/advisories/bitwarden-server-missing-authorization-via-...
Published: 11 May 2026 · Updated: 28 May 2026 · First seen: 11 May 2026