CVE-2026-43914

7.3 HIGH
Published: May 11, 2026 Modified: May 13, 2026
View on NVD

Description

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/dani-garcia/vaultwarden/pull/6867
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.4
Source: security-advisories@github.com
Product Release Notes
https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-c5rv-q295-7w4g
Source: security-advisories@github.com
Exploit Patch Vendor Advisory
https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-c5rv-q295-7w4g
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit Patch Vendor Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.3 / 10.0
EPSS (Exploit Probability)
0.3%
20th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-307

Affected Vendors

dani-garcia

Related CVEs

CVE-2026-48777 N/A
CVE-2026-47750 7.8
CVE-2026-47747 7.8
CVE-2026-46448 5.4
CVE-2026-22313 9.1