{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/takeover/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-43639"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Bitwarden Server"],"_cs_severities":["high"],"_cs_tags":["cve","bitwarden","takeover","missing-authorization","cloud"],"_cs_type":"advisory","_cs_vendors":["Bitwarden"],"content_html":"\u003cp\u003eBitwarden Server before version 2026.4.0 is susceptible to a missing authorization vulnerability identified as CVE-2026-43639. This flaw allows a malicious provider service user in a multi-tenant cloud environment to add an arbitrary organization to their provider account. The vulnerability is located in the \u003ccode\u003e/providers/{providerId}/clients/existing\u003c/code\u003e endpoint. Successful exploitation leads to the takeover of the target organization, granting the attacker unauthorized access and control. Self-hosted Bitwarden installations are not affected as the vulnerable endpoint is exclusively available in the cloud-hosted version due to the \u003ccode\u003eSelfHosted(NotSelfHostedOnly = true)\u003c/code\u003e restriction. This issue was reported by VulnCheck.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates as a legitimate provider service user within a Bitwarden Cloud environment.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003ePOST\u003c/code\u003e request targeting the \u003ccode\u003e/providers/{providerId}/clients/existing\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eproviderId\u003c/code\u003e is replaced with the attacker\u0026rsquo;s provider ID.\u003c/li\u003e\n\u003cli\u003eThe request body includes data identifying the target organization to be added to the attacker\u0026rsquo;s provider account.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization check, the server processes the request without validating if the attacker has permission to manage the target organization.\u003c/li\u003e\n\u003cli\u003eThe target organization is successfully added to the attacker\u0026rsquo;s provider account.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access and control over the target organization\u0026rsquo;s Bitwarden data.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access sensitive credentials, modify organization settings, and potentially exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-43639 allows an attacker to takeover a Bitwarden organization in a cloud-hosted environment. This can lead to significant data breaches, as the attacker gains access to all passwords and secrets stored within the compromised organization\u0026rsquo;s vault. The impact includes potential financial loss, reputational damage, and legal liabilities for the affected organization. The number of potentially affected organizations is limited to Bitwarden\u0026rsquo;s cloud-hosted users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Bitwarden Server to version 2026.4.0 or later to patch CVE-2026-43639.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Bitwarden Provider Organization Takeover Attempt\u0026rdquo; to monitor for suspicious POST requests to the \u003ccode\u003e/providers/{providerId}/clients/existing\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for anomalous POST requests to \u003ccode\u003e/providers/{providerId}/clients/existing\u003c/code\u003e originating from provider service users.\u003c/li\u003e\n\u003cli\u003eReview Bitwarden Cloud provider configurations for any unauthorized organization additions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T18:17:55Z","date_published":"2026-05-11T18:17:55Z","id":"https://feed.craftedsignal.io/briefs/2026-05-bitwarden-takeover/","summary":"Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability (CVE-2026-43639) that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization in cloud-hosted deployments.","title":"Bitwarden Server Missing Authorization Vulnerability Leading to Organization Takeover (CVE-2026-43639)","url":"https://feed.craftedsignal.io/briefs/2026-05-bitwarden-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed — Takeover","version":"https://jsonfeed.org/version/1.1"}