Skip to main content

Bitwarden Server EUVDEUVD-2026-29170

| CVE-2026-43639 HIGH
Missing Authorization (CWE-862)
2026-05-11 VulnCheck GHSA-79fq-fw2p-vq3j
8.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 11, 2026 - 18:45 vuln.today
Analysis Generated
May 11, 2026 - 18:45 vuln.today
CVSS changed
May 11, 2026 - 18:22 NVD
8.0 (HIGH) 8.9 (HIGH)
CVE Published
May 11, 2026 - 17:14 nvd
HIGH 8.9

DescriptionCVE.org

Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via POST /providers/{providerId}/clients/existing, resulting in takeover of the target organization; self-hosted installations are unaffected as this endpoint is restricted to Cloud via SelfHosted(NotSelfHostedOnly = true).

AnalysisAI

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access, achieving complete administrative takeover. The vulnerability exploits a missing authorization check in the POST /providers/{providerId}/clients/existing endpoint, allowing authenticated provider users to add any organization to their provider without the target's consent. Publicly available exploit code exists (detailed writeup by Sanjok Karki), and vendor-released patch v2026.4.0 fully addresses the issue via GitHub PR #7372. Self-hosted installations are unaffected due to endpoint access restrictions. CVSS 8.9 reflects high confidentiality, integrity, and availability impact with high attack complexity and high privilege requirements.

Technical ContextAI

The vulnerability stems from a missing authorization check (CWE-862) in Bitwarden Server's provider management API endpoint. Bitwarden uses a provider-client model where Managed Service Providers (MSPs) manage multiple customer organizations. The vulnerable endpoint POST /providers/{providerId}/clients/existing was designed to add existing organizations to a provider's management scope, but failed to verify whether the authenticated provider service user had legitimate authority over the target organization. This authorization gap is particularly critical in multi-tenant SaaS environments where tenant isolation is paramount. The endpoint includes a SelfHosted(NotSelfHostedOnly = true) attribute, restricting this functionality to Bitwarden's Cloud platform only, which explains why self-hosted deployments are unaffected. The fix in commit 0918bfdda6f implements proper authorization validation before allowing organization-provider association.

RemediationAI

Upgrade Bitwarden Server Cloud to version 2026.4.0 immediately, which implements authorization validation via GitHub PR #7372 (commit 0918bfdda6f). For Bitwarden Cloud customers, the vendor likely applies this patch to their hosted infrastructure automatically, but administrators should verify their instance version through the admin console and confirm upgrade completion with Bitwarden support if uncertainty exists. Self-hosted installations require no action as the vulnerable endpoint is disabled in these deployments. As interim compensating controls while awaiting patch deployment, organizations using provider features should audit all provider-client associations via the admin console to detect unauthorized organization additions, revoke provider service user access for accounts not requiring MSP management capabilities (reducing attack surface), enable comprehensive audit logging for provider API operations to detect exploitation attempts, and implement anomalous API activity monitoring specifically for POST requests to /providers/*/clients/* endpoints. These mitigations reduce but do not eliminate risk since detection is reactive rather than preventive. Full remediation requires upgrading to v2026.4.0. Review GitHub release notes for any deployment considerations: https://github.com/bitwarden/server/releases/tag/v2026.4.0.

More in Server

View all
CVE-2018-1000881 CRITICAL POC
9.8 Dec 20

Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2021-42973 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl

CVE-2021-42972 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple

CVE-2026-43640 HIGH POC
8.6 May 11

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri

CVE-2019-25609 HIGH POC
8.6 Mar 22

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel

CVE-2023-30223 HIGH POC
7.5 Jun 16

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen

CVE-2023-30222 HIGH POC
7.5 Jun 16

An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to

CVE-2026-57520 HIGH POC
7.1 Jun 25

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a

CVE-2017-7855 MEDIUM POC
6.1 Aug 31

In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet

CVE-2022-39395 CRITICAL
9.9 Nov 10

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se

CVE-2026-49261 CRITICAL
9.8 Jun 11

OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes b

Share

EUVD-2026-29170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy