Bitwarden Server Missing Authorization Vulnerability in Provider Clients Endpoint Allowing Organization Takeover

A missing authorization vulnerability has been identified in Bitwarden Server versions prior to 2026.4.0. This vulnerability allows a provider service user to add an arbitrary organization to their provider through the POST /providers/{providerId}/clients/existing endpoint. As a result, the attacker can take over the target organization. Self-hosted installations are not affected, as this endpoint is restricted to Cloud users.

Impact

Exploitation of this vulnerability allows for unauthorized takeover of organizations by linking them to the attacker's provider account. This includes canceling the organization's Stripe subscription, rewriting billing information, and managing the organization's status.

Reproduction

To reproduce this vulnerability, a provider service user must send a POST request to the /providers/{providerId}/clients/existing endpoint with a valid provider ID and an organization ID that belongs to a different user. The request must include a key, which can be arbitrary. If the organization ID is accepted, the takeover is successful.

Remediation

Users can update to Bitwarden Server version 2026.4.0 or later, where this vulnerability has been fixed.