Bitwarden Server before version 2026.4.1 has an authentication design flaw where master-password re-authentication is not enforced during retrieval or rotation of an organization's SCIM API key. Consequently, any user authenticated with SCIM management privileges can access the SCIM API key by leveraging an active session, bypassing the expected additional authentication layer.

An authenticated user with SCIM management privileges can obtain the organization's SCIM API key without needing to re-enter the master password. This could lead to unauthorized access or misuse of the SCIM API key, potentially compromising identity management integrations that rely on this key. The vulnerability has a CVSS 4.0 score of 8.6, indicating high severity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability affects versions prior to v2026.4.1, upgrading to version 2026.4.1 or later is likely required once the vendor releases an official fix. Until then, restrict SCIM management privileges to trusted users and monitor for unusual activity related to SCIM API key usage.