CVE-2026-43640
EUVD-2026-2917111.05.2026, 18:16
Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| bitwarden | server | 𝑥 < 2026.4.1 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| bitwarden | bitwarden | 𝑥 < 2026.4.1 | CNA |
Common Weakness Enumeration
References