CVE-2026-43639
CRITICAL WAF: Low
CVSS 9.1
Published: 2026-05-11
CWE-862
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization; self-hosted installations are unaffected as this endpoint is restricted to Cloud via SelfHosted(NotSelfHostedOnly = true).
WAF Coverage Analysis
Missing Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| bitwarden | server | up to 2026.4.0 |
References
- github.com (Patch)
- github.com (Issue Tracking, Patch)
- github.com (Release Notes)
- sanjokkarki.com.np (Exploit, Third Party Advisory)
- www.vulncheck.com (Third Party Advisory)