CVE-2026-43640

Published May 11th, 2026

View on NVD ↗

CVSS v3

8.1

HIGH

CVSS v2

N/A

Affected

PROJECT

Description

Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.

bitwarden/server

Bitwarden infrastructure/backend (API, database, Docker, etc).

GitHub

19.1K