VYPR
High severity8.0NVD Advisory· Published May 11, 2026· Updated May 16, 2026

CVE-2026-43639

CVE-2026-43639

Description

Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via POST /providers/{providerId}/clients/existing, resulting in takeover of the target organization; self-hosted installations are unaffected as this endpoint is restricted to Cloud via SelfHosted(NotSelfHostedOnly = true).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Bitwarden/Serverreferences3 versions
    (expand)+ 2 more
    • (no CPE)
    • cpe:2.3:a:bitwarden:server:*:*:*:*:*:*:*:*range: <2026.4.0
    • (no CPE)range: < v2026.4.0

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.