CVE-2026-43638

MEDIUM 5.4

Bitwarden Server < 2026.4.1 Missing Authorization via Organization Cipher Import

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collections` array, which causes the server-side permission check to be skipped.

CWE	CWE-862
Vendor	bitwarden
Product	server
Published	May 11, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for bitwarden server

Be the first to know when new medium vulnerabilities affecting bitwarden server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

bitwarden / server

0 < 2026.4.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

sanjokkarki.com.np: https://sanjokkarki.com.np/blog/bitwarden-import-org-bypass github.com: https://github.com/bitwarden/server/releases/tag/v2026.4.1 github.com: https://github.com/bitwarden/server/pull/7394 github.com: https://github.com/bitwarden/server/commit/ebbf6dd0fa752114c09d73abb48ce32a50476758 vulncheck.com: https://www.vulncheck.com/advisories/bitwarden-server-missing-authorization-via-organization-cipher-import

Credits

Sanjok Karki