PT-2026-39716 · Bitwarden · Bitwarden Server

·

CVE-2026-43639

·

Published

2026-05-11

·

Updated

2026-05-16

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Bitwarden Server versions prior to 2026.4.0
Description A missing authorization issue allows a provider service user to add an arbitrary organization to their provider. This is possible through the 'POST /providers/{providerId}/clients/existing' endpoint, where the providerId variable is used. Successful exploitation can result in the takeover of the target organization. This issue specifically affects Cloud installations, as the endpoint is restricted and not available in self-hosted environments.
Recommendations Update to version 2026.4.0 or later.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43639

Affected Products

Bitwarden Server