Bitwarden Server CVE-2026-43639 Allows Organization Takeover on Cloud
The National Vulnerability Database reports a critical missing authorization vulnerability, CVE-2026-43639, affecting Bitwarden Server versions prior to v2026.4.0. This flaw, rated with a high CVSS score of 8, permits a provider service user to arbitrarily add an organization to their provider via the POST /providers/{providerId}/clients/existing endpoint. The consequence is a full takeover of the target organization.
Crucially, this vulnerability is specific to Bitwarden’s cloud deployments. Self-hosted installations are explicitly noted as unaffected, as the problematic endpoint is restricted to the cloud environment. This distinction is vital for defenders to understand; not all Bitwarden users face the same exposure.
This isn’t just a misconfiguration; it’s a fundamental authorization bypass. An attacker with provider service user access could leverage this to gain control over other organizations within the Bitwarden ecosystem, potentially exposing sensitive credentials and secrets managed by those organizations. The attacker’s calculus here is straightforward: target an existing provider service user, compromise their account, and then expand control across multiple linked organizations.
What This Means For You
- If your organization uses Bitwarden Cloud, this is a critical alert. While self-hosted instances are safe, cloud users must verify their Bitwarden Server version immediately. Patch to v2026.4.0 or newer without delay. Furthermore, audit provider service user activity logs for any suspicious organization additions or changes. This is a supply-chain risk within the cloud service itself, demanding swift action.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Bitwarden Cloud Organization Takeover Attempt - CVE-2026-43639
title: Bitwarden Cloud Organization Takeover Attempt - CVE-2026-43639
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
Detects the specific API endpoint used in Bitwarden Server CVE-2026-43639 to add an arbitrary organization to a provider account. This is a critical indicator of an attempted organization takeover on Bitwarden Cloud.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-43639/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method:
- 'POST'
cs-uri:
- '/providers/*/clients/existing'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-43639 | Auth Bypass | Bitwarden Server < v2026.4.0 |
| CVE-2026-43639 | Auth Bypass | POST /providers/{providerId}/clients/existing |
| CVE-2026-43639 | Auth Bypass | Missing Authorization |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability
CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....
CVE-2026-8320 — Jishenghua JshERP Server-Side Request Forgery
CVE-2026-8320 — A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the...
CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to
CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recall_relevant_memories_to_working_memory of the file core/cat/looking_glass/stray_cat.py...