Skip to main content

Bitwarden Server CVE-2026-43640

| EUVDEUVD-2026-29171 HIGH
Incorrect Implementation of Authentication Algorithm (CWE-303)
2026-05-11 VulnCheck GHSA-6736-x63f-c628
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 11, 2026 - 18:45 vuln.today
Analysis Generated
May 11, 2026 - 18:45 vuln.today
CVSS changed
May 11, 2026 - 18:22 NVD
8.1 (HIGH) 8.6 (HIGH)
CVE Published
May 11, 2026 - 17:14 nvd
HIGH 8.6

DescriptionCVE.org

Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.

AnalysisAI

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management privileges to retrieve or rotate organization SCIM API keys without master password re-authentication. An attacker with valid session credentials and SCIM management rights can obtain sensitive API keys that enable user provisioning control, potentially leading to unauthorized account creation, modification, or deletion within the organization. Public exploit code exists, and vendor patch v2026.4.1 addresses the issue via GitHub PR #7403.

Technical ContextAI

Bitwarden Server implements System for Cross-domain Identity Management (SCIM) for automated user provisioning in enterprise deployments. SCIM API keys are sensitive credentials that grant programmatic access to user lifecycle operations (create, update, deactivate) within an organization. The vulnerability stems from CWE-303 (Incorrect Implementation of Authentication Algorithm), where the application failed to enforce step-up authentication when accessing or rotating these high-privilege credentials. Normally, sensitive operations like credential retrieval should require master password re-authentication even within an authenticated session, following the principle of least privilege and defense-in-depth. The affected component is the SCIM key management endpoint in Bitwarden Server's organization administration module (cpe:2.3:a:bitwarden:server). The CVSS 4.0 vector indicates network-accessible exploitation with low complexity and low privilege requirements, resulting in high confidentiality and integrity impact to the vulnerable system.

RemediationAI

Upgrade Bitwarden Server to version 2026.4.1 or later, which implements master password re-authentication requirements for SCIM API key operations (patch commit eb251d9bf80724c87b187661783b9354d1784083, merged via PR #7403 at https://github.com/bitwarden/server/pull/7403). Organizations unable to immediately upgrade should implement compensating controls: (1) Rotate all existing SCIM API keys immediately after patching to invalidate any keys that may have been obtained by unauthorized users; (2) Audit SCIM management role assignments to ensure only trusted administrators have access (review organization permission logs for unexpected SCIM key retrievals); (3) If SCIM provisioning is not actively required, temporarily disable the feature via organization settings to eliminate the attack surface until patching is complete; (4) Monitor SCIM API usage logs for anomalous provisioning activity (unusual user creations, bulk modifications, or off-hours access) that may indicate key compromise. Note that disabling SCIM will interrupt automated user provisioning workflows and require manual user management. Release notes available at https://github.com/bitwarden/server/releases/tag/v2026.4.1.

More in Server

View all
CVE-2018-1000881 CRITICAL POC
9.8 Dec 20

Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2026-43639 HIGH POC
8.9 May 11

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access

CVE-2021-42973 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl

CVE-2021-42972 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple

CVE-2019-25609 HIGH POC
8.6 Mar 22

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel

CVE-2023-30223 HIGH POC
7.5 Jun 16

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen

CVE-2023-30222 HIGH POC
7.5 Jun 16

An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to

CVE-2026-57520 HIGH POC
7.1 Jun 25

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a

CVE-2017-7855 MEDIUM POC
6.1 Aug 31

In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet

CVE-2022-39395 CRITICAL
9.9 Nov 10

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se

CVE-2026-49261 CRITICAL
9.8 Jun 11

OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes b

Share

CVE-2026-43640 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy