CVE-2026-43638
Bitwarden Server Missing Authorization via Empty Collections Array
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bitwarden | server | to 2026.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-43638 is an authorization bypass vulnerability in Bitwarden Server versions prior to 2026.4.1. It occurs in the organization cipher import functionality where any authenticated user can write ciphers into an arbitrary organization by sending a POST request to `/ciphers/import-organization` with an empty `collections` array. This causes the server-side permission check to be skipped, allowing unauthorized users to inject ciphers into organizations they do not have permission to access.
The vulnerability was fixed by enhancing the import validation logic to ensure that only authorized users or managed service providers can perform imports, and by removing the bypass that allowed imports with no collections without proper permissions.
How can this vulnerability impact me? :
This vulnerability allows any authenticated user to bypass authorization controls and import ciphers into any organization within Bitwarden Server. This unauthorized data manipulation can lead to unauthorized access or modification of sensitive encrypted data stored in the organization's vault.
Such unauthorized imports could compromise the integrity and confidentiality of organizational secrets, potentially leading to data breaches or misuse of sensitive credentials.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint `/ciphers/import-organization` where the request body contains an empty `collections` array. Such requests indicate attempts to bypass authorization checks and import ciphers into arbitrary organizations.
To detect this on your system or network, you can use network monitoring or web server access logs to filter for these specific POST requests.
- Use command-line tools like `grep` or `awk` on your web server logs to find POST requests to `/ciphers/import-organization` with an empty `collections` array.
- Example command to search logs (assuming JSON formatted logs): `grep 'POST /ciphers/import-organization' /path/to/access.log | grep '"collections":\[\]'`
- Use network packet capture tools like `tcpdump` or `Wireshark` to filter HTTP POST requests to the vulnerable endpoint and inspect the payload for empty `collections` arrays.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to upgrade the Bitwarden Server to version 2026.4.1 or later, where the missing authorization check has been fixed.
The fix includes enhanced validation logic that prevents unauthorized users from importing ciphers into organizations without proper permissions.
If upgrading immediately is not possible, consider restricting access to the `/ciphers/import-organization` endpoint to only trusted users or IP addresses as a temporary workaround.
Additionally, monitor logs for suspicious POST requests to this endpoint with empty `collections` arrays and investigate any such activity.