CVE-2026-43640 - Bitwarden Server - Authentication Bypass

Overview

Bitwarden Server < v2026.4.1 contains a broken authentication caused by lack of master-password re-authentication when retrieving or rotating an organization's SCIM API key, letting authenticated users with SCIM management privileges obtain the key using only a valid session.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 5.5%(Probability of exploitation in next 30 days)

Impact

Authenticated users with SCIM management privileges can obtain the organization's SCIM API key, risking unauthorized access and potential data compromise.

Mitigation

Update to version v2026.4.1 or later.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

May 11, 2026

🟠 CVE-2026-43640 - High (8.1) Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-43640/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

May 11, 2026

🟠 CVE-2026-43640 - High (8.1) Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-43640/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

CVE-2026-43640 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score