Tag
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability (CVE-2026-43639) that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization in cloud-hosted deployments.