Skip to main content

Vaultwarden CVE-2026-43911

| EUVDEUVD-2026-29339 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-05-11 GitHub_M
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
May 11, 2026 - 23:03 EUVD
CVE Published
May 11, 2026 - 21:54 nvd
MEDIUM 6.8

DescriptionGitHub Advisory

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken action to secure their account. This vulnerability is fixed in 1.35.5.

Analysis

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken action to secure their account. This vulnerability is fixed in 1.35.5.

CVE-2026-27801 MEDIUM POC
5.9 Mar 04

Two-factor authentication bypass in Vaultwarden 1.34.3 and earlier allows authenticated attackers to circumvent 2FA prot

CVE-2026-27803 HIGH
8.3 Mar 04

Vaultwarden versions prior to 1.35.4 fail to properly enforce collection management permissions, allowing authenticated

CVE-2026-27802 HIGH
8.3 Mar 04

Vaultwarden versions before 1.35.4 contain a privilege escalation vulnerability that allows authenticated Manager-level

CVE-2026-47158 HIGH
8.3 Jul 15

Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible ser

CVE-2026-47164 HIGH
7.7 Jul 15

Authentication bypass (account takeover) in Vaultwarden before 1.36.0 allows an attacker who controls a federated identi

CVE-2024-56335 HIGH
7.5 Dec 20

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Rated high sev

CVE-2026-47159 MEDIUM
6.9 Jul 15

Vaultwarden's SSO discovery endpoint exposed real organization SSO metadata - including organizationIdentifier values -

CVE-2026-26012 MEDIUM
6.5 Feb 11

Vaultwarden versions prior to 1.35.3 allow authenticated organization members to bypass collection-level access controls

CVE-2026-47160 MEDIUM
5.8 Jul 15

{domain}/icon.png endpoint, bypassing the server's address blocklist. The icon-fetching HTTP client in src/http_client.r

CVE-2026-27898 MEDIUM
5.4 Mar 04

Vaultwarden versions up to 1.35.4 is affected by authorization bypass through user-controlled key (CVSS 5.4).

CVE-2026-33420 MEDIUM
5.3 May 05

Vaultwarden versions 1.35.4 and earlier expose organization collection metadata to Manager-role users lacking full acces

CVE-2026-31835 MEDIUM
5.3 May 05

Vaultwarden versions 1.35.4 and earlier allow authenticated attackers to permanently disable WebAuthn two-factor authent

Share

CVE-2026-43911 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy