← Back

Server

server

Vendor: Bitwarden • 5 CVEs

CVEs (5)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2026-43640
1Bitwarden
1Server
May 16, 2026
May 11, 2026
8.6 HIGH· v4
8.1 HIGH· v3
N/A· v2
Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain...Show more
Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.Show less
CVE-2026-43639
1Bitwarden
1Server
May 16, 2026
May 11, 2026
8.9 HIGH· v4
9.1 CRITICAL· v3
N/A· v2
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing...Show more
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization; self-hosted installations are unaffected as this endpoint is restricted to Cloud via SelfHosted(NotSelfHostedOnly = true).Show less
CVE-2026-43638
1Bitwarden
1Server
May 16, 2026
May 11, 2026
5.3 MEDIUM· v4
5.4 MEDIUM· v3
N/A· v2
Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting...Show more
Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collections` array, which causes the server-side permission check to be skipped.Show less
CVE-2020-15879
1Bitwarden
1Server
Nov 21, 2024
Jul 21, 2020
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8, and 169.254.0.0/16).
CVE-2019-19766
1Bitwarden
1Server
Nov 21, 2024
Dec 12, 2019
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
The Bitwarden server through 1.32.0 has a potentially unwanted KDF.