{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/bitwarden-server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-43640"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Bitwarden Server"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","privilege-escalation","cve"],"_cs_type":"advisory","_cs_vendors":["Bitwarden"],"content_html":"\u003cp\u003eBitwarden Server prior to version v2026.4.1 is vulnerable to an authentication bypass. The vulnerability, identified as CVE-2026-43640, allows an authenticated user with SCIM (System for Cross-domain Identity Management) management privileges to retrieve or rotate an organization\u0026rsquo;s SCIM API key without requiring master-password re-authentication. This means that if an attacker gains access to a valid user session with SCIM management privileges, they can obtain the SCIM API key without needing to know the user\u0026rsquo;s master password. The issue stems from an incorrect implementation of the authentication algorithm (CWE-303). This can lead to unauthorized access to sensitive resources managed through the SCIM API.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Bitwarden Server account with SCIM management privileges, potentially through credential stuffing or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Bitwarden Server web interface using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the organization settings related to SCIM configuration.\u003c/li\u003e\n\u003cli\u003eInstead of being prompted for master password re-authentication, the attacker is granted access to retrieve the SCIM API Key.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the existing SCIM API key.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker can initiate a SCIM API key rotation, generating a new key without master password verification.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained SCIM API key to access and manage user accounts and groups within the organization\u0026rsquo;s identity provider.\u003c/li\u003e\n\u003cli\u003eThe attacker could create new admin accounts, modify existing ones, or exfiltrate sensitive user data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-43640 can lead to a complete compromise of the affected organization\u0026rsquo;s identity management. An attacker with a valid user session with SCIM management privileges can obtain the SCIM API key and use it to perform unauthorized actions, such as creating new administrative accounts, modifying existing user accounts, or exfiltrating sensitive user data. This vulnerability affects all Bitwarden Server instances prior to version v2026.4.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Bitwarden Server to version v2026.4.1 or later to patch CVE-2026-43640.\u003c/li\u003e\n\u003cli\u003eMonitor Bitwarden Server logs for unusual activity related to SCIM API key retrieval or rotation, using the log source \u003ccode\u003ewebserver\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) on all Bitwarden accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T18:18:10Z","date_published":"2026-05-11T18:18:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-bitwarden-scim-bypass/","summary":"Bitwarden Server before v2026.4.1 allows an authenticated user with SCIM management privileges to bypass master-password re-authentication when retrieving or rotating an organization's SCIM API key, potentially leading to unauthorized access.","title":"Bitwarden Server SCIM API Key Authentication Bypass (CVE-2026-43640)","url":"https://feed.craftedsignal.io/briefs/2026-05-bitwarden-scim-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-43639"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Bitwarden Server"],"_cs_severities":["high"],"_cs_tags":["cve","bitwarden","takeover","missing-authorization","cloud"],"_cs_type":"advisory","_cs_vendors":["Bitwarden"],"content_html":"\u003cp\u003eBitwarden Server before version 2026.4.0 is susceptible to a missing authorization vulnerability identified as CVE-2026-43639. This flaw allows a malicious provider service user in a multi-tenant cloud environment to add an arbitrary organization to their provider account. The vulnerability is located in the \u003ccode\u003e/providers/{providerId}/clients/existing\u003c/code\u003e endpoint. Successful exploitation leads to the takeover of the target organization, granting the attacker unauthorized access and control. Self-hosted Bitwarden installations are not affected as the vulnerable endpoint is exclusively available in the cloud-hosted version due to the \u003ccode\u003eSelfHosted(NotSelfHostedOnly = true)\u003c/code\u003e restriction. This issue was reported by VulnCheck.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates as a legitimate provider service user within a Bitwarden Cloud environment.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003ePOST\u003c/code\u003e request targeting the \u003ccode\u003e/providers/{providerId}/clients/existing\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eproviderId\u003c/code\u003e is replaced with the attacker\u0026rsquo;s provider ID.\u003c/li\u003e\n\u003cli\u003eThe request body includes data identifying the target organization to be added to the attacker\u0026rsquo;s provider account.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization check, the server processes the request without validating if the attacker has permission to manage the target organization.\u003c/li\u003e\n\u003cli\u003eThe target organization is successfully added to the attacker\u0026rsquo;s provider account.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access and control over the target organization\u0026rsquo;s Bitwarden data.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access sensitive credentials, modify organization settings, and potentially exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-43639 allows an attacker to takeover a Bitwarden organization in a cloud-hosted environment. This can lead to significant data breaches, as the attacker gains access to all passwords and secrets stored within the compromised organization\u0026rsquo;s vault. The impact includes potential financial loss, reputational damage, and legal liabilities for the affected organization. The number of potentially affected organizations is limited to Bitwarden\u0026rsquo;s cloud-hosted users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Bitwarden Server to version 2026.4.0 or later to patch CVE-2026-43639.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Bitwarden Provider Organization Takeover Attempt\u0026rdquo; to monitor for suspicious POST requests to the \u003ccode\u003e/providers/{providerId}/clients/existing\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for anomalous POST requests to \u003ccode\u003e/providers/{providerId}/clients/existing\u003c/code\u003e originating from provider service users.\u003c/li\u003e\n\u003cli\u003eReview Bitwarden Cloud provider configurations for any unauthorized organization additions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T18:17:55Z","date_published":"2026-05-11T18:17:55Z","id":"https://feed.craftedsignal.io/briefs/2026-05-bitwarden-takeover/","summary":"Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability (CVE-2026-43639) that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in takeover of the target organization in cloud-hosted deployments.","title":"Bitwarden Server Missing Authorization Vulnerability Leading to Organization Takeover (CVE-2026-43639)","url":"https://feed.craftedsignal.io/briefs/2026-05-bitwarden-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed — Bitwarden Server","version":"https://jsonfeed.org/version/1.1"}