CVE-2026-43638 Overview
CVE-2026-43638 is a missing authorization vulnerability [CWE-862] in Bitwarden Server prior to v2026.4.1. Any authenticated user can write ciphers into an arbitrary organization by sending a POST /ciphers/import-organization request with an empty collections array. The empty array causes the server-side permission check to be skipped, bypassing the organization access controls that normally restrict imports to authorized members.
Critical Impact
Authenticated attackers can inject ciphers into organizations they do not belong to, enabling data pollution, phishing-style credential planting, and integrity attacks against shared password vaults.
Affected Products
- Bitwarden Server versions prior to v2026.4.1
- Self-hosted Bitwarden Server deployments
- Organizations using the /ciphers/import-organization API endpoint
Discovery Timeline
- 2026-05-11 - CVE-2026-43638 published to NVD
- 2026-05-16 - Last updated in NVD database
Technical Details for CVE-2026-43638
Vulnerability Analysis
The flaw resides in the ImportCiphersController in the Bitwarden Server API. When a user calls POST /ciphers/import-organization, the controller validates the caller's permission against the list of target collections supplied in the request body. The permission logic assumes that any import request includes at least one collection identifier to authorize against. Submitting an empty collections array satisfies the input schema but produces a permission check that evaluates over zero items, returning a truthy result by default.
The handler then proceeds to write the imported ciphers into the target orgId provided in the request. Because the caller's organization membership and role were never enforced, the write succeeds against organizations the attacker has no relationship with. The vulnerability impacts confidentiality and integrity of organization vault data at low severity, since the attacker writes data but cannot directly exfiltrate existing ciphers.
Root Cause
The root cause is missing authorization on a collection-scoped permission check that fails open when the collection list is empty. The fix renames and replaces the synchronous CheckOrgImportPermission call with an asynchronous CheckOrgImportPermissionAsync and tightens validation so that imports without collections are properly authorized against organization-level roles, including provider access checks.
Attack Vector
The attack vector is network-based and requires only a low-privileged authenticated session. An attacker crafts an HTTP POST to /ciphers/import-organization with a valid bearer token, a target organizationId, a populated ciphers array, and an empty collections: []. The server skips the authorization gate and persists the ciphers under the targeted organization.
// Security patch in src/Api/Tools/Controllers/ImportCiphersController.cs
var collections = model.Collections.Select(c => c.ToCollection(orgId)).ToList();
//An User is allowed to import if CanCreate Collections or has AccessToImportExport
- var authorized = await CheckOrgImportPermission(collections, orgId);
+ var authorized = await CheckOrgImportPermissionAsync(collections, orgId);
if (!authorized)
{
throw new BadRequestException("Not enough privileges to import into this organization.");
Source: GitHub Commit ebbf6dd0
Detection Methods for CVE-2026-43638
Indicators of Compromise
- HTTP POST requests to /ciphers/import-organization containing an empty collections array in the JSON body.
- Unexpected cipher entries appearing in organization vaults that were not created by authorized members.
- API audit log entries showing successful imports by users who are not members of the target organization.
Detection Strategies
- Inspect web server and application logs for POST /ciphers/import-organization calls and correlate the requesting user ID with their organization memberships.
- Alert on import operations where the collections field in the request body is null or empty.
- Review recent cipher creation events tied to the Import source and validate them against expected organizational workflows.
Monitoring Recommendations
- Forward Bitwarden Server API logs and database audit events to a centralized SIEM for retroactive review.
- Baseline normal import volume per organization and trigger anomalies on sudden spikes in cipher creation by single users.
- Monitor for low-privileged accounts performing administrative actions such as bulk imports across multiple organizations.
How to Mitigate CVE-2026-43638
Immediate Actions Required
- Upgrade Bitwarden Server to v2026.4.1 or later, which contains the patched CheckOrgImportPermissionAsync authorization check.
- Audit organization vaults for unexpected ciphers created since deployment of the vulnerable versions and remove unauthorized entries.
- Rotate any credentials or secrets stored in organizations that show evidence of unauthorized imports.
Patch Information
The fix is delivered in Bitwarden Server release v2026.4.1 via pull request #7394. The patch replaces the permission check with an async variant and adds provider import validation in src/Core/Tools/ImportFeatures/ImportCiphersCommand.cs. Self-hosted operators should pull the updated container image and redeploy. Additional analysis is available in the Bitwarden Import Bypass Analysis and the VulnCheck Advisory for Bitwarden.
Workarounds
- Restrict access to the Bitwarden API at the network layer to known administrative IPs until patching is complete.
- Use a reverse proxy or WAF rule to block requests to /ciphers/import-organization that contain an empty collections array.
- Temporarily disable the import-to-organization feature in client policies if upgrading immediately is not feasible.
# Example NGINX rule to block empty-collections imports until patched
location /ciphers/import-organization {
if ($request_method = POST) {
access_by_lua_block {
ngx.req.read_body()
local body = ngx.req.get_body_data() or ""
if body:match('"collections"%s*:%s*%[%s*%]') then
ngx.exit(403)
end
}
}
proxy_pass http://bitwarden_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
