CVE-2026-43639
Received Received - Intake
Bitwarden Server Missing Authorization Leading to Organization Takeover

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: VulnCheck

Description
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization; self-hosted installations are unaffected as this endpoint is restricted to Cloud via SelfHosted(NotSelfHostedOnly = true).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-43639
EUVD
EUVD-2026-29170
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bitwarden server to 2026.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-43639 is a missing authorization vulnerability in Bitwarden Server versions prior to 2026.4.0 that affects cloud installations. It allows a provider service user to add an arbitrary organization to their provider via the POST /providers/{providerId}/clients/existing endpoint without proper ownership verification. This means an attacker with a provider account can take over a target organization by linking it to their own provider account, effectively gaining control over that organization.

The vulnerability arises because the POST endpoint trusted the organization GUID supplied in the request body without verifying that the user owns the organization. This contrasts with the GET /clients/addable endpoint, which correctly enforced ownership checks. The flaw enabled attackers to manipulate billing details, cancel subscriptions, and change organization status, leading to a takeover.

The issue was fixed in version 2026.4.0 by adding explicit ownership and authorization checks, ensuring the user is authenticated, is the owner of the organization, and that the organization can be added to the provider before proceeding.

Impact Analysis

This vulnerability can have severe impacts if you are using the cloud version of Bitwarden Server. An attacker with a provider account could take over your organization by adding it to their provider, which can lead to unauthorized control over your organization's data and billing.

  • Takeover of the target organization by linking it to the attacker's provider.
  • Cancellation of your organization's Stripe subscription without your consent.
  • Modification of billing email and subscription details to the attacker's control.
  • Changing the organization's status to Managed, potentially restricting your control.

Self-hosted installations are not affected by this vulnerability as the endpoint is restricted to cloud environments.

Detection Guidance

Detection of this vulnerability involves identifying unauthorized or suspicious POST requests to the endpoint /providers/{providerId}/clients/existing that add arbitrary organizations to a provider.

Monitoring network traffic or server logs for POST requests to this endpoint with unexpected organization GUIDs can help detect exploitation attempts.

Since the vulnerability allows a provider service user to add arbitrary organizations without proper authorization, commands to inspect logs or network traffic for such requests include:

  • Using grep or similar tools to search server access logs for POST requests to /providers/*/clients/existing, for example: grep 'POST /providers/' /var/log/bitwarden/access.log | grep '/clients/existing'
  • Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to the affected endpoint, e.g., tcpdump -A -s 0 'tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' and then filtering for the URI /providers/{providerId}/clients/existing.
  • Reviewing application logs for authorization failures or unexpected organization additions.

Note that the vulnerability is specific to cloud installations and the endpoint is restricted to cloud environments.

Mitigation Strategies

The primary mitigation step is to upgrade Bitwarden Server to version 2026.4.0 or later, where the vulnerability has been fixed by adding proper authorization checks.

The fix includes verifying that the user is authenticated, is the owner of the organization being added, and that the organization can be added to the provider before processing the request.

If immediate upgrade is not possible, restrict access to the affected endpoint /providers/{providerId}/clients/existing to trusted users only, and monitor for suspicious activity.

Additionally, review provider service user permissions to ensure they are not overly permissive.

Implement network-level controls such as firewall rules or API gateway policies to limit access to the vulnerable endpoint.

Finally, audit organization ownership and billing information for any unauthorized changes that may have occurred due to exploitation.

Compliance Impact

The provided context and resources do not explicitly discuss the impact of CVE-2026-43639 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43639. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart