QwikSec

Security Database

CVE

CWE

Training

CVE-2026-43639

Published: May 11, 2026

Modified: May 11, 2026

PUBLISHED

CVSS v3.1

8.0

HIGH

Description

Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization; self-hosted installations are unaffected as this endpoint is restricted to Cloud via SelfHosted(NotSelfHostedOnly = true).

Vendor	Product	Versions
bitwarden	server	affected `0 - < 2026.4.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://sanjokkarki.com.np/blog/bitwarden-provider-takeover

technical-description

exploit

https://github.com/bitwarden/server/releases/tag/v2026.4.0

release-notes

https://github.com/bitwarden/server/pull/7372

issue-tracking

https://github.com/bitwarden/server/commit/0918bfdda6f5eec391c69bd9074f6aef4eac0b1d

patch

https://www.vulncheck.com/advisories/bitwarden-server-missing-authorization-via-provider-clients

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.