PT-2026-39717 · Bitwarden · Bitwarden Server

Sanjok Karki

·

Published

2026-05-11

·

Updated

2026-05-16

·

CVE-2026-43640

CVSS v4.0

8.6

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Bitwarden Server versions prior to 2026.4.1
Description An issue exists where master-password re-authentication is not required when retrieving or rotating an organization's SCIM API key. This allows an authenticated user with SCIM management privileges to obtain the key using only a valid session.
Recommendations Update to version 2026.4.1 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43640

Affected Products

Bitwarden Server