Skip to main content

Vaultwarden CVE-2026-31835

| EUVDEUVD-2026-27424 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-05-05 GitHub_M
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 05, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 05, 2026 - 19:32 vuln.today
Analysis Generated
May 05, 2026 - 19:32 vuln.today
CVSS changed
May 05, 2026 - 19:22 NVD
5.3 (MEDIUM)

DescriptionGitHub Advisory

Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in validate_webauthn_login() updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified authenticatorData before signature validation is performed. An attacker who knows a user's password but cannot produce a valid WebAuthn signature can permanently modify the stored backup flags for that user's credential. If signature verification fails, the database update is not rolled back. This can result in a persistent denial of service of WebAuthn two-factor authentication for affected credentials. This issue has been fixed in version 1.35.5.

AnalysisAI

Vaultwarden versions 1.35.4 and earlier allow authenticated attackers to permanently disable WebAuthn two-factor authentication for user credentials by exploiting a logic flaw in the validate_webauthn_login() function that updates backup eligibility flags before validating the WebAuthn signature. An attacker with knowledge of a user's password can modify these persistent flags even when providing an invalid WebAuthn signature, causing signature verification to fail without rolling back the database changes, resulting in denial of service of the 2FA mechanism for affected credentials. The vulnerability has been patched in version 1.35.5.

Technical ContextAI

Vaultwarden is a self-hosted Bitwarden-compatible password manager server written in Rust. The vulnerability exists in the WebAuthn authentication flow, specifically in the validate_webauthn_login() function which handles FIDO2/WebAuthn credential verification. The root cause (CWE-345: Insufficient Verification of Data Authenticity) is a transaction ordering flaw where the application updates backup-related credential metadata (backup_eligible and backup_state flags) in the database before cryptographically validating the WebAuthn signature. This violates secure coding principles for authentication systems where all validation must complete successfully before persisting state changes. The WebAuthn standard (CTAP2/FIDO2) requires signature verification as a fundamental security control; premature database updates expose this critical control to bypass.

RemediationAI

Upgrade to Vaultwarden version 1.35.5 or later immediately. The patch moves the backup flag updates to occur only after successful WebAuthn signature verification, ensuring database state remains consistent with authentication success or failure. For environments unable to upgrade immediately, disable WebAuthn authentication as a temporary compensating control, though this reduces the security posture for all users relying on FIDO2 2FA. Monitor authentication logs for failed WebAuthn attempts combined with database modifications to detect potential exploitation attempts. Two-factor remember tokens are now limited to a maximum of 30 days validity after upgrade, and old tokens are immediately invalidated; users will need to re-authenticate on previously remembered devices. If you override admin templates, review and update them post-upgrade due to admin template changes in 1.35.5. See GitHub Security Advisory GHSA-x7g7-cgx5-jhx2 and release notes at https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.5 for complete details.

CVE-2026-27801 MEDIUM POC
5.9 Mar 04

Two-factor authentication bypass in Vaultwarden 1.34.3 and earlier allows authenticated attackers to circumvent 2FA prot

CVE-2026-27803 HIGH
8.3 Mar 04

Vaultwarden versions prior to 1.35.4 fail to properly enforce collection management permissions, allowing authenticated

CVE-2026-27802 HIGH
8.3 Mar 04

Vaultwarden versions before 1.35.4 contain a privilege escalation vulnerability that allows authenticated Manager-level

CVE-2026-47158 HIGH
8.3 Jul 15

Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible ser

CVE-2026-47164 HIGH
7.7 Jul 15

Authentication bypass (account takeover) in Vaultwarden before 1.36.0 allows an attacker who controls a federated identi

CVE-2024-56335 HIGH
7.5 Dec 20

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Rated high sev

CVE-2026-47159 MEDIUM
6.9 Jul 15

Vaultwarden's SSO discovery endpoint exposed real organization SSO metadata - including organizationIdentifier values -

CVE-2026-43911 MEDIUM
6.8 May 11

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when t

CVE-2026-26012 MEDIUM
6.5 Feb 11

Vaultwarden versions prior to 1.35.3 allow authenticated organization members to bypass collection-level access controls

CVE-2026-47160 MEDIUM
5.8 Jul 15

{domain}/icon.png endpoint, bypassing the server's address blocklist. The icon-fetching HTTP client in src/http_client.r

CVE-2026-27898 MEDIUM
5.4 Mar 04

Vaultwarden versions up to 1.35.4 is affected by authorization bypass through user-controlled key (CVSS 5.4).

CVE-2026-33420 MEDIUM
5.3 May 05

Vaultwarden versions 1.35.4 and earlier expose organization collection metadata to Manager-role users lacking full acces

Share

CVE-2026-31835 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy