Description
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization; self-hosted installations are unaffected as this endpoint is restricted to Cloud via SelfHosted(NotSelfHostedOnly = true).
Published: 2026-05-11
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bitwarden Server versions prior to 2026.4.0 contain a missing authorization flaw that allows a provider service user to call the endpoint POST /providers/{providerId}/clients/existing and add any organization to the provider. The vulnerability is a classic example of CWE‑862 – missing access control. The execution of this exploit gives the attacker the ability to assume control of the chosen organization, gaining unrestricted access to that organization's vault data, policies, and member accounts.

Affected Systems

The affected product is Bitwarden Server with all releases before 2026.4.0. Self‑hosted instances are not impacted because the vulnerable endpoint is exposed only to the Cloud deployment (SelfHosted(NotSelfHostedOnly = true)).

Risk and Exploitability

The CVSS score of 8.9 classifies this issue as high severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the lack of protection on a central server endpoint means a provider who already has an authenticated session could read or manipulate any organization’s data. The exploit requires an attacker to possess valid credentials for a provider account and to know the target organization’s identifier, making it a moderate-to-high risk scenario for organizations relying on the provider model.

Generated by OpenCVE AI on May 11, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bitwarden Server to version 2026.4.0 or later, which implements proper authorization checks for the provider client endpoint
  • If an immediate upgrade is not possible, restrict access to POST /providers/{providerId}/clients/existing by configuring a firewall rule or deploying an API gateway that blocks the endpoint for unauthenticated or non‑owner provider accounts
  • Audit existing provider accounts and revoke any that are unnecessary, then monitor provider activity logs for anomalous organization‑add requests

Generated by OpenCVE AI on May 11, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Bitwarden
Bitwarden server
Vendors & Products Bitwarden
Bitwarden server
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization; self-hosted installations are unaffected as this endpoint is restricted to Cloud via SelfHosted(NotSelfHostedOnly = true).
Title Bitwarden Server < 2026.4.0 Missing Authorization via Provider Clients
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Bitwarden Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T19:14:22.085Z

Reserved: 2026-05-01T18:22:45.642Z

Link: CVE-2026-43639

cve-icon Vulnrichment

Updated: 2026-05-11T19:14:04.106Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:36.970

Modified: 2026-05-11T18:16:36.970

Link: CVE-2026-43639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T20:00:13Z

Weaknesses