CVE-2026-43640

Summary

Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.

Affected Software

VendorProductVersion RangeStatus
bitwardenserver0 < 2026.4.1affected

Weaknesses

  • CWE-303: Incorrect Implementation of Authentication Algorithm

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References