Which versions of Bitwarden Server are affected by EUVD-2026-29171?

Bitwarden Server versions prior to 2026.4.1 contain an authentication bypass affecting SCIM API key management that allows authenticated users with SCIM privileges to retrieve or rotate organization…. A patch is available.

Is there a public PoC exploit available for EUVD-2026-29171?

Yes, a public proof-of-concept exploit is available for EUVD-2026-29171. Prioritise patching immediately. EPSS: 0.1%.

Bitwarden Server EUVD-2026-29171

Q: What is the CVSS score of EUVD-2026-29171?

EUVD-2026-29171 has a CVSS 4.0 base score of 8.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2026-43640 HIGH

Incorrect Implementation of Authentication Algorithm (CWE-303)

2026-05-11 VulnCheck

GHSA-6736-x63f-c628

Information Disclosure

8.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 11, 2026 - 18:45 vuln.today

Analysis Generated

May 11, 2026 - 18:45 vuln.today

CVSS changed

May 11, 2026 - 18:22 NVD

8.1 (HIGH) 8.6 (HIGH)

CVE Published

May 11, 2026 - 17:14 nvd

HIGH 8.6

DescriptionNVD

Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.

AnalysisAI

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management privileges to retrieve or rotate organization SCIM API keys without master password re-authentication. An attacker with valid session credentials and SCIM management rights can obtain sensitive API keys that enable user provisioning control, potentially leading to unauthorized account creation, modification, or deletion within the organization. …

RemediationAI

Within 24 hours: Inventory all Bitwarden Server deployments and identify current versions; disable or restrict SCIM provisioning integrations if version <2026.4.1 is confirmed. Within 7 days: Apply vendor-released patch v2026.4.1 to all affected Bitwarden Server instances and validate successful deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-29171 vulnerability details – vuln.today

Back

Bitwarden Server EUVD-2026-29171

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Bitwarden Server EUVD-2026-29171

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code