Description
Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collections` array, which causes the server-side permission check to be skipped.
Published: 2026-05-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bitwarden Server versions earlier than 2026.4.1 contain a missing authorization check that allows any authenticated user to write cipher data into an arbitrary organization by calling POST /ciphers/import-organization with an empty collections array. The flaw is a classic authorization bypass (CWE‑862) that lets users perform actions outside their granted permissions without triggering the usual server‑side permission validation.

Affected Systems

The vulnerability affects the Bitwarden Server product. Any installation running a version older than 2026.4.1 is potentially exposed. The failing endpoint is the organization‑level cipher import route used for bulk imports of cipher data into organizational vaults.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalogue. Exploitation requires only an authenticated user account; no elevated privileges or network exposure are needed. An attacker can inject arbitrary cipher records into organisations they do not own, potentially enabling data leakage or privilege escalation within those organisations.

Generated by OpenCVE AI on May 11, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bitwarden Server to version 2026.4.1 or later, which removes the missing authorization check on the organization import API.
  • If an immediate upgrade is not possible, block or restrict access to the POST /ciphers/import-organization endpoint for users who are not designated as organization administrators, using firewall rules or an API gateway.
  • Continuously monitor organization cipher import logs for unauthorized or anomalous activity and enforce least‑privilege policies on user roles.

Generated by OpenCVE AI on May 11, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Bitwarden
Bitwarden server
Vendors & Products Bitwarden
Bitwarden server

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collections` array, which causes the server-side permission check to be skipped.
Title Bitwarden Server < 2026.4.1 Missing Authorization via Organization Cipher Import
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Bitwarden Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T19:03:34.201Z

Reserved: 2026-05-01T18:22:45.642Z

Link: CVE-2026-43638

cve-icon Vulnrichment

Updated: 2026-05-11T18:21:23.769Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:36.823

Modified: 2026-05-11T18:16:36.823

Link: CVE-2026-43638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:45:25Z

Weaknesses