CVE-2026-43640 Overview
CVE-2026-43640 is an authentication bypass vulnerability in Bitwarden Server versions prior to v2026.4.1. The flaw resides in the organization API key controller, which fails to enforce master-password re-authentication when an authenticated user retrieves or rotates an organization's System for Cross-domain Identity Management (SCIM) API key. An authenticated user with SCIM management privileges can obtain the key using only a valid session, bypassing the secondary verification step required for other API key types. The issue is tracked under [CWE-303: Incorrect Implementation of Authentication Algorithm].
Critical Impact
An attacker holding a valid Bitwarden session with SCIM management privileges can extract or rotate the organization's SCIM API key without supplying the master password, enabling unauthorized identity provisioning operations.
Affected Products
- Bitwarden Server versions prior to v2026.4.1
- Self-hosted Bitwarden deployments using SCIM provisioning
- Bitwarden organization tenants with SCIM management enabled
Discovery Timeline
- 2026-05-11 - CVE-2026-43640 published to NVD
- 2026-05-16 - Last updated in NVD database
Technical Details for CVE-2026-43640
Vulnerability Analysis
The vulnerability exists in src/Api/AdminConsole/Controllers/OrganizationsController.cs. The controller logic for api-key and rotate-api-key endpoints contained a conditional that explicitly skipped master-password verification when the requested key type was OrganizationApiKeyType.Scim. As a result, any authenticated user with SCIM management privileges could request the SCIM API key without proving possession of the master password.
The SCIM API key authorizes identity-provider integrations to create, update, and remove organization members. Disclosure or rotation of this key allows an attacker to provision attacker-controlled accounts, deprovision legitimate users, or disrupt directory synchronization. The attack requires only network access and a valid session token, with no user interaction.
Root Cause
The root cause is an incorrect authentication algorithm implementation that treated SCIM key operations as exempt from the secondary master-password check (VerifySecretAsync). The exemption likely existed to support automation flows, but it removed a critical defense-in-depth control protecting a high-value secret.
Attack Vector
An authenticated user with SCIM management privileges sends an authenticated request to the organization API key endpoint specifying the SCIM key type. The server returns the key without prompting for master-password reverification. The attacker can then use the key against the SCIM endpoint to manipulate organization membership.
// Patch diff in src/Api/AdminConsole/Controllers/OrganizationsController.cs
throw new UnauthorizedAccessException();
}
- if (model.Type != OrganizationApiKeyType.Scim
- && !await _userService.VerifySecretAsync(user, model.Secret))
+ if (!await _userService.VerifySecretAsync(user, model.Secret))
{
await Task.Delay(2000);
throw new BadRequestException("MasterPasswordHash", "Invalid password.");
}
- else
- {
- var response = new ApiKeyResponseModel(organizationApiKey);
- return response;
- }
+
+ var response = new ApiKeyResponseModel(organizationApiKey);
+ return response;
}
Source: Bitwarden Server commit eb251d9. The fix removes the SCIM-type exemption so that every API key retrieval and rotation enforces master-password verification.
Detection Methods for CVE-2026-43640
Indicators of Compromise
- Requests to organization API key endpoints (/organizations/{id}/api-key or /organizations/{id}/rotate-api-key) where the payload specifies Type=Scim without a preceding master-password challenge.
- Unexpected SCIM API key rotations recorded in Bitwarden audit logs.
- New or unfamiliar organization members created via SCIM that do not correspond to identity provider activity.
Detection Strategies
- Review Bitwarden event logs for Organization_ClientApiKeyUpdated and SCIM key retrieval events tied to users who do not normally perform key management.
- Correlate SCIM key access events with the originating session, source IP, and user-agent to identify anomalous retrievals.
- Alert on any SCIM-key access from Bitwarden Server instances running versions earlier than v2026.4.1.
Monitoring Recommendations
- Forward Bitwarden audit logs to a centralized logging platform and retain them for forensic review.
- Monitor SCIM endpoint traffic for spikes in member-provisioning calls following an API key retrieval event.
- Track outbound calls from Bitwarden infrastructure to ensure rotated SCIM keys are not being exfiltrated to unauthorized endpoints.
How to Mitigate CVE-2026-43640
Immediate Actions Required
- Upgrade self-hosted Bitwarden Server deployments to v2026.4.1 or later without delay.
- Rotate the SCIM API key for every organization after upgrading, then update the identity provider with the new key.
- Audit organization membership changes and SCIM key access events from the last 90 days for unauthorized activity.
- Reduce the number of users granted SCIM management privileges to the minimum required.
Patch Information
Bitwarden addressed the issue in Bitwarden Server release v2026.4.1 through pull request #7403. The fix removes the SCIM-specific exemption so that all organization API key retrieval and rotation operations require successful master-password verification via VerifySecretAsync. Additional context is available in the VulnCheck Security Advisory and the blog post on the SCIM key bypass.
Workarounds
- If patching is not immediately possible, disable SCIM provisioning at the organization level until the upgrade is applied.
- Restrict network access to the Bitwarden admin API so that only trusted management hosts can reach the organization API key endpoints.
- Require step-up authentication, such as enforced single sign-on with multifactor authentication, for any account holding SCIM management privileges.
# Example: upgrade a self-hosted Bitwarden deployment to the patched release
./bitwarden.sh updateself
./bitwarden.sh update
docker compose pull
docker compose up -d
# Verify the running version is v2026.4.1 or later
docker exec -it bitwarden-api cat /etc/bitwarden/version || \
curl -s https://<bitwarden-host>/api/version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
