Description
Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.
Published: 2026-05-11
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bitwarden Server implementations older than version 2026.4.1 allow an authenticated user with SCIM management privileges to retrieve or rotate an organization’s SCIM API key without requiring re‑authentication to the master password. This flaw effectively bypasses an authentication step, giving an attacker control over the key that can be used to impersonate users or provision accounts through the SCIM endpoint. The vulnerability enables an attacker to compromise an organization’s identity federation without any further exploitation steps.

Affected Systems

Any Bitwarden Server installation running a release version earlier than 2026.4.1 is affected. The product is Bitwarden Server, and the flaw applies to all installations that have enabled SCIM and granted management privileges to users. No specific patch versions beyond 2026.4.1 are mentioned as being vulnerable.

Risk and Exploitability

The CVSS score of 8.6 categorizes the issue as high severity. While no EPSS value is available and the vulnerability is not listed in the CISA KEV catalog, the attack vector requires an authenticated session with SCIM privileges; therefore the risk is primarily for internal attackers or compromised accounts. Once the key is extracted, the attacker can act with the permissions granted to that key, potentially creating or deleting users, provisioning applications, and impacting the organization’s identity setup.

Generated by OpenCVE AI on May 11, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bitwarden Server to version 2026.4.1 or later to apply the vendor fix for the SCIM API key authentication bypass.
  • If an upgrade cannot be performed immediately, limit SCIM management privileges to a minimal set of trusted personnel and consider disabling SCIM for non‑essential services.
  • Apply additional monitoring to detect abnormal SCIM key retrieval or rotation activity, and audit revocation of compromised keys as soon as feasible.

Generated by OpenCVE AI on May 11, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Bitwarden
Bitwarden server
Vendors & Products Bitwarden
Bitwarden server

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.
Title Bitwarden Server < 2026.4.1 Authentication Bypass via SCIM API Key
Weaknesses CWE-303
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Bitwarden Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T17:14:37.931Z

Reserved: 2026-05-01T18:22:45.642Z

Link: CVE-2026-43640

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:37.110

Modified: 2026-05-11T18:16:37.110

Link: CVE-2026-43640

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T19:45:08Z

Weaknesses