Bitwarden Server SCIM API Key Authentication Bypass Vulnerability

A vulnerability exists in Bitwarden Server versions prior to 2026.4.1, where the application does not require re-authentication of the master password when retrieving or rotating an organization's SCIM API key. This flaw allows an authenticated user with SCIM management privileges to access the key using only a valid session. The issue arises because the SCIM key type bypasses the necessary password verification, creating a security risk by enabling unauthorized access to sensitive API functionalities.

Impact

Exploitation of this vulnerability allows for unauthorized retrieval and rotation of SCIM API keys, which can be misused to manage users and groups within an organization, bypassing normal authentication requirements.

Reproduction

To reproduce this vulnerability, an authenticated user with SCIM management privileges can send a request to the SCIM API key retrieval endpoint without providing a valid master password. The absence of password verification for SCIM key requests will result in the API key being returned, demonstrating the authentication bypass.

Remediation

Users can update to Bitwarden Server version 2026.4.1 or later, where this vulnerability has been fixed.