PT-2026-39716 · Bitwarden · Bitwarden Server
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Bitwarden Server versions prior to 2026.4.0
Description
A missing authorization issue allows a provider service user to add an arbitrary organization to their provider. This is possible through the 'POST /providers/{providerId}/clients/existing' endpoint, where the
providerId variable is used. Successful exploitation can result in the takeover of the target organization. This issue specifically affects Cloud installations, as the endpoint is restricted and not available in self-hosted environments.Recommendations
Update to version 2026.4.0 or later.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bitwarden Server