CVE-2026-43639
Bitwarden Server Missing Authorization Leading to Organization Takeover
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bitwarden | server | to 2026.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-43639 is a missing authorization vulnerability in Bitwarden Server versions prior to 2026.4.0 that affects cloud installations. It allows a provider service user to add an arbitrary organization to their provider via the POST /providers/{providerId}/clients/existing endpoint without proper ownership verification. This means an attacker with a provider account can take over a target organization by linking it to their own provider account, effectively gaining control over that organization.
The vulnerability arises because the POST endpoint trusted the organization GUID supplied in the request body without verifying that the user owns the organization. This contrasts with the GET /clients/addable endpoint, which correctly enforced ownership checks. The flaw enabled attackers to manipulate billing details, cancel subscriptions, and change organization status, leading to a takeover.
The issue was fixed in version 2026.4.0 by adding explicit ownership and authorization checks, ensuring the user is authenticated, is the owner of the organization, and that the organization can be added to the provider before proceeding.
How can this vulnerability impact me? :
This vulnerability can have severe impacts if you are using the cloud version of Bitwarden Server. An attacker with a provider account could take over your organization by adding it to their provider, which can lead to unauthorized control over your organization's data and billing.
- Takeover of the target organization by linking it to the attacker's provider.
- Cancellation of your organization's Stripe subscription without your consent.
- Modification of billing email and subscription details to the attacker's control.
- Changing the organization's status to Managed, potentially restricting your control.
Self-hosted installations are not affected by this vulnerability as the endpoint is restricted to cloud environments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not explicitly discuss the impact of CVE-2026-43639 on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying unauthorized or suspicious POST requests to the endpoint /providers/{providerId}/clients/existing that add arbitrary organizations to a provider.
Monitoring network traffic or server logs for POST requests to this endpoint with unexpected organization GUIDs can help detect exploitation attempts.
Since the vulnerability allows a provider service user to add arbitrary organizations without proper authorization, commands to inspect logs or network traffic for such requests include:
- Using grep or similar tools to search server access logs for POST requests to /providers/*/clients/existing, for example: grep 'POST /providers/' /var/log/bitwarden/access.log | grep '/clients/existing'
- Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to the affected endpoint, e.g., tcpdump -A -s 0 'tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' and then filtering for the URI /providers/{providerId}/clients/existing.
- Reviewing application logs for authorization failures or unexpected organization additions.
Note that the vulnerability is specific to cloud installations and the endpoint is restricted to cloud environments.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Bitwarden Server to version 2026.4.0 or later, where the vulnerability has been fixed by adding proper authorization checks.
The fix includes verifying that the user is authenticated, is the owner of the organization being added, and that the organization can be added to the provider before processing the request.
If immediate upgrade is not possible, restrict access to the affected endpoint /providers/{providerId}/clients/existing to trusted users only, and monitor for suspicious activity.
Additionally, review provider service user permissions to ensure they are not overly permissive.
Implement network-level controls such as firewall rules or API gateway policies to limit access to the vulnerable endpoint.
Finally, audit organization ownership and billing information for any unauthorized changes that may have occurred due to exploitation.