Bitwarden Server CVE-2026-43640: SCIM API Key Exposed Without Re-Auth
The National Vulnerability Database has disclosed CVE-2026-43640, a high-severity vulnerability affecting Bitwarden Server versions prior to 2026.4.1. This flaw, rated 8.1 CVSS, allows an authenticated user with SCIM management privileges to retrieve or rotate an organization’s SCIM API key without requiring master-password re-authentication. A valid session is all that’s needed.
This is a critical bypass. SCIM API keys control user provisioning and de-provisioning, a fundamental component of identity management. An attacker gaining access to this key effectively controls user lifecycles within connected applications, leading to unauthorized account creation, modification, or deletion across an organization’s integrated services.
Defenders need to understand the attacker’s calculus here. This isn’t about brute-forcing a password; it’s about privilege escalation through session hijacking or internal compromise. Once an attacker has a foothold and a valid session, this vulnerability provides a direct path to identity management control, bypassing a crucial security control that should protect sensitive API key access.
What This Means For You
- If your organization uses Bitwarden Server, you must immediately audit your version. Update to Bitwarden Server v2026.4.1 or later to patch CVE-2026-43640. Review access logs for any suspicious SCIM API key retrieval or rotation activities, especially if performed without master password re-authentication.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Bitwarden SCIM API Key Retrieval via Unauthenticated Session - CVE-2026-43640
title: Bitwarden SCIM API Key Retrieval via Unauthenticated Session - CVE-2026-43640
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
Detects the retrieval of a Bitwarden organization's SCIM API key via the SCIM v2 API endpoint without requiring re-authentication. This is specific to CVE-2026-43640, where an authenticated user with SCIM management privileges can obtain the key using only a valid session.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-43640/
tags:
- attack.credential_access
- attack.t1539
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/scim/v2/organizations'
cs-method:
- 'GET'
sc-status:
- 200
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-43640 | Auth Bypass | Bitwarden Server < v2026.4.1 |
| CVE-2026-43640 | Information Disclosure | SCIM API key retrieval without master-password re-authentication |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability
CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....
CVE-2026-8320 — Jishenghua JshERP Server-Side Request Forgery
CVE-2026-8320 — A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the...
CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to
CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recall_relevant_memories_to_working_memory of the file core/cat/looking_glass/stray_cat.py...