CVE Vulnerabilities for Bitwarden Server
| CVE | Published | Severity | Details | Exploitability | Impact | Vector |
|---|---|---|---|---|---|---|
| CVE‑2026‑43640 | 2026‑05‑11 18:16:37 | HIGH (9) | Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session. | 0 | 0 | NETWORK |
| CVE‑2026‑43639 | 2026‑05‑11 18:16:37 | HIGH (9) | Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization; self-hosted installations are unaffected as this endpoint is restricted to Cloud via SelfHosted(NotSelfHostedOnly = true). | 0 | 0 | NETWORK |
| CVE‑2026‑43638 | 2026‑05‑11 18:16:37 | MEDIUM (5) | Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collections` array, which causes the server-side permission check to be skipped. | 0 | 0 | NETWORK |
| CVE‑2020‑15879 | 2020‑07‑21 17:15:12 | HIGH (8) | Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8, and 169.254.0.0/16). | 4 | 4 | NETWORK |
| CVE‑2019‑19766 | 2019‑12‑12 19:15:21 | HIGH (8) | The Bitwarden server through 1.32.0 has a potentially unwanted KDF. | 4 | 4 | NETWORK |
View OS-specific patching for:
Windows Mac Linux
Logos, products, trade names, and company names are all the property of their respective trademark holders.
The above listing includes products that Lavawall® monitors through public information and/or proprietary statistical analysis.
Although we do have a partner relationship with some of the listed products and companies, they do not necessarily endorse Lavawall® or have integrations with our systems.