ZeroPath at Black Hat USA 2026

Bitwarden Server CVE-2026-43640: Quick Look at the SCIM API Key Authentication Bypass

A brief summary of CVE-2026-43640, a high severity authentication bypass in Bitwarden Server that allowed SCIM API key retrieval without master password verification, enabling persistent provisioning control via a valid session alone.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-11

Bitwarden Server CVE-2026-43640: Quick Look at the SCIM API Key Authentication Bypass
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A logic flaw in Bitwarden Server's organization API key endpoints allowed any authenticated user with SCIM management privileges to retrieve or rotate the SCIM API key without re-entering their master password, turning a long lived provisioning credential into a trivially exfiltrable secret. For organizations relying on SCIM to automate user provisioning through their Identity Provider, this vulnerability quietly exposed persistent out of band control over their entire Bitwarden user directory to anyone holding a valid admin session.

Technical Information

Root Cause

The vulnerability resides in OrganizationsController.cs and affects two endpoints:

  • POST /organizations/{id}/api-key
  • POST /organizations/{id}/rotate-api-key

Both endpoints share a common authentication guard that checks whether the caller has verified their identity via master password before returning sensitive key material. The problematic condition was:

if (model.Type != OrganizationApiKeyType.Scim && !await _userService.VerifySecretAsync(user, model.Secret))

This is a classic short circuit evaluation issue. When model.Type equals OrganizationApiKeyType.Scim, the first operand (model.Type != OrganizationApiKeyType.Scim) evaluates to false. Because the condition uses a logical AND (&&), the runtime skips the second operand entirely, meaning VerifySecretAsync is never called. Execution falls through to the else branch, which returns or rotates the SCIM key without any password verification.

This created a clear asymmetry in authentication requirements across API key types:

Key TypeAuthentication Required (Pre Fix)Caller Role RequiredRisk Level
DefaultMaster passwordOwnerLow
BillingSyncMaster passwordOwnerLow
ScimSession onlyAdmin or Custom with ManageScimHigh

The SCIM key had the lowest authentication barrier and the lowest role requirement while granting persistent out of band access to user provisioning.

Attack Flow

  1. Session Compromise: The attacker obtains a valid session token belonging to a user with ManageScim permissions. This includes users with the Admin role or any Custom role where ManageScim is enabled.

  2. Key Retrieval: The attacker sends a POST request to /organizations/{id}/api-key, specifying OrganizationApiKeyType.Scim as the type and providing any arbitrary string for the master password hash field. The server returns a 200 OK response containing the live SCIM API key.

  3. Optional Key Rotation: The attacker can also call /organizations/{id}/rotate-api-key with the same parameters. This replaces the existing SCIM key with a new one, effectively locking out the legitimate Identity Provider integration while leaving only the attacker in possession of the valid key.

  4. Persistent Access: With the SCIM API key, the attacker can provision new users, remove existing users, and modify groups entirely outside the standard Bitwarden session model. This access persists independently of the original compromised session.

Classification

This vulnerability is classified under CWE 303 (Incorrect Implementation of Authentication Algorithm), reflecting the design flaw where a boolean guard inadvertently exempted SCIM key operations from the password verification requirement that protected all other API key types.

Affected Systems and Versions

Deployment TypeAffected VersionsFixed VersionRelease Date
Self HostedAll versions prior to 2026.4.12026.4.1April 20, 2026
Bitwarden CloudAll versions prior to May 5, 2026 deploymentCloud DeployedMay 5 to May 6, 2026

The vulnerability affects any Bitwarden Server deployment where SCIM provisioning is configured and at least one user holds Admin or Custom (with ManageScim) permissions.

Vendor Security History

Bitwarden maintains a generally strong security posture. The vendor runs independent security researcher programs and undergoes regular third party audits by firms such as Cure53. Bitwarden holds SOC2 Type II, SOC3, ISO 27001, and HIPAA compliance certifications. The response timeline for CVE-2026-43640 was notably efficient: reported on March 25, 2026, the fix landed in the main branch by April 8, shipped to self hosted customers on April 20, and reached the cloud environment by May 6. The total time from report to full remediation was approximately six weeks.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization