Bitwarden Server < 2026.4.0 Missing Authorization via Provider Clients

Advisories

severity: high
date: 5/11/2026
Affecting: Bitwarden Server < 2026.4.0
CVE: CVE-2026-43639
CWE: CWE-862 Missing Authorization
CVSS: 8.9
CVSS V4 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References: Researcher Blog
Release Notes
Pull Request
Patch Commit
Credit: Sanjok Karki
Description: Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization; self-hosted installations are unaffected as this endpoint is restricted to Cloud via SelfHosted(NotSelfHostedOnly = true).

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo