ZeroPath at Black Hat USA 2026

Bitwarden Cloud CVE-2026-43639: Quick Look at the Provider Organization Takeover Vulnerability

A brief summary of CVE-2026-43639, a missing authorization flaw in Bitwarden Server that allowed provider service users to hijack arbitrary organizations on the Cloud platform by exploiting an unprotected API endpoint.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-11

Bitwarden Cloud CVE-2026-43639: Quick Look at the Provider Organization Takeover Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing authorization check in Bitwarden Server's provider API allowed any vetted provider service user to silently hijack arbitrary organizations on the Bitwarden Cloud platform, canceling their subscriptions and seizing billing control in the process. For the millions of organizations relying on Bitwarden Cloud for credential management, this vulnerability (now patched in version 2026.4.0) represented a serious control plane risk even though encrypted vault data remained protected by the organization symmetric key.

Bitwarden is one of the most widely adopted open source password managers, ranking first in the G2 Enterprise Grid for eleven consecutive quarters. It serves individuals, teams, and enterprises with both Cloud hosted and self hosted deployment options, making it a critical piece of security infrastructure across a broad range of organizations.

Technical Information

Root Cause: Authorization Disparity Between GET and POST

The core issue is a classic authorization gap between two related API operations on the same resource. The POST /providers/{providerId}/clients/existing endpoint allows a provider to associate an existing organization with their provider account. While the corresponding GET request correctly enforced ownership through SQL queries that restricted results to organizations owned by the calling user, the POST request accepted any organization GUID in the request body without performing an equivalent ownership check.

The controller validated only that the caller was a confirmed member of their own provider. It never verified whether the caller had any relationship to the target organization specified in the request body. This is a textbook instance of CWE-862 (Missing Authorization).

Attack Flow

An attacker with a legitimate (vetted) Bitwarden provider account could exploit this vulnerability through the following sequence:

  1. Obtain a target organization GUID. The attacker needs the GUID of the victim organization. While not publicly enumerable, GUIDs can potentially be obtained through other information disclosure vectors or social engineering.

  2. Send a POST request to the vulnerable endpoint. The attacker crafts a request to POST /providers/{providerId}/clients/existing with the victim organization's GUID in the request body, using their own provider ID in the URL path.

  3. Destructive state changes execute automatically. The service method processes the request and performs the following operations on the victim organization before any proper authorization boundary is reached:

    • Cancels the victim's Stripe subscription with immediate invoicing enabled
    • Overwrites the organization's billing email to match the attacker's provider
    • Nullifies the gateway subscription ID and expiration date
    • Sets the organization status to "Managed" and links it to the attacker's provider
  4. Control plane takeover is complete. The attacker now controls the organization's billing relationship and management status. Full vault data decryption is not possible without the organization symmetric key, but the administrative and financial takeover succeeds regardless.

The Fix

The remediation implemented in commit 0918bfd introduces three distinct authorization layers to the endpoint:

var userId = _currentContext.UserId; if (!userId.HasValue) { return Error.Unauthorized(); } var (provider, result) = await TryGetBillableProviderForAdminOperation(providerId); if (provider == null) return result; if (!await _currentContext.OrganizationOwner(requestBody.OrganizationId)) { return Error.Unauthorized(); }

This patch accomplishes three things: it elevates the required role to provider admin (via TryGetBillableProviderForAdminOperation), it explicitly checks that the caller is an owner of the target organization, and it ensures the organization appears in the list of addable organizations. Integration tests were added alongside the fix to assert that Unauthorized and NotFound responses are returned for invalid attempts.

Cloud Only Scope

The vulnerable endpoint is decorated with the SelfHosted(NotSelfHostedOnly = true) attribute, which restricts it exclusively to Bitwarden Cloud environments. Self hosted Bitwarden installations never expose this endpoint, making them entirely unaffected by this vulnerability.

Severity Assessment

SourceScoreNotes
VulnCheck CNA8.9 High (CVSS 4.0)AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Researcher Assessment8.0 HighAdjusted during triage for high privilege requirements and complexity
NVDPendingNVD assessment not yet published

The high privilege requirement (vetted provider account) and the need for a valid target organization GUID moderate the practical exploitability, but the impact on a successful attack is severe.

Affected Systems and Versions

  • Bitwarden Server versions prior to 2026.4.0 running in Cloud environments are vulnerable.
  • Self hosted Bitwarden installations are not affected, as the vulnerable endpoint is restricted to Cloud via the SelfHosted(NotSelfHostedOnly = true) attribute.
  • The fix is included in Bitwarden Server version 2026.4.0 and later.

Vendor Security History

Bitwarden maintains a transparent security posture with public source code repositories, SOC 2 Type II and SOC 3 compliance certifications, and an active Vulnerability Disclosure Program through HackerOne. The vendor responded rapidly to this report, completing triage within days and merging the fix shortly after.

In a separate incident on April 22, 2026, the Bitwarden security team identified and contained a malicious package distributed through the npm delivery path for the Bitwarden CLI. That supply chain compromise was contained within 93 minutes, with no evidence of vault data access. While unrelated to CVE-2026-43639, the proximity in timing highlights the importance of monitoring all update channels for Bitwarden components.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization