Thomas Rittson

1 exploit Active since May 2026
CVE-2026-43639 WRITEUP HIGH WRITEUP
Bitwarden Server < 2026.4.0 Missing Authorization via Provider Clients
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization; self-hosted installations are unaffected as this endpoint is restricted to Cloud via SelfHosted(NotSelfHostedOnly = true).
CVSS 8.0