Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.
References
| Link | Resource |
|---|---|
| https://github.com/bitwarden/server/commit/eb251d9bf80724c87b187661783b9354d1784083 | Patch |
| https://github.com/bitwarden/server/pull/7403 | Issue Tracking Patch |
| https://github.com/bitwarden/server/releases/tag/v2026.4.1 | Release Notes |
| https://sanjokkarki.com.np/blog/bitwarden-scim-key-bypass | Exploit Third Party Advisory |
| https://www.vulncheck.com/advisories/bitwarden-server-authentication-bypass-via-scim-api-key | Third Party Advisory |
Configurations
History
16 May 2026, 03:04
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/bitwarden/server/commit/eb251d9bf80724c87b187661783b9354d1784083 - Patch | |
| References | () https://github.com/bitwarden/server/pull/7403 - Issue Tracking, Patch | |
| References | () https://github.com/bitwarden/server/releases/tag/v2026.4.1 - Release Notes | |
| References | () https://sanjokkarki.com.np/blog/bitwarden-scim-key-bypass - Exploit, Third Party Advisory | |
| References | () https://www.vulncheck.com/advisories/bitwarden-server-authentication-bypass-via-scim-api-key - Third Party Advisory | |
| First Time |
Bitwarden server
Bitwarden |
|
| CPE | cpe:2.3:a:bitwarden:server:*:*:*:*:*:*:*:* |
11 May 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-11 18:16
Updated : 2026-05-16 03:04
NVD link : CVE-2026-43640
Mitre link : CVE-2026-43640
CVE.ORG link : CVE-2026-43640
JSON object : View
Products Affected
bitwarden
- server
CWE
CWE-303
Incorrect Implementation of Authentication Algorithm