What is the CVSS score of CVE-2026-43913?

CVE-2026-43913 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-43913?

Yes, a patch is available for CVE-2026-43913. Update the affected software to the latest version immediately.

Hashicorp CVE-2026-43913

EUVD-2026-29341 HIGH

Incorrect Authorization (CWE-863)

2026-05-11 GitHub_M

Authentication Bypass Hashicorp

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 11, 2026 - 23:03 EUVD

CVE Published

May 11, 2026 - 22:01 nvd

HIGH 8.1

DescriptionNVD

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, and a separate confirmation by an existing owner upgrades it to Confirmed. The POST /api/ciphers/purge endpoint uses plain Headers and only checks that the membership type is Owner without verifying that the membership status is Confirmed. An authenticated user who has been invited as an organization owner and has accepted the invite and has not yet been confirmed can call this endpoint to hard-delete all ciphers and attachments in the organization, causing immediate organization-wide data loss. This vulnerability is fixed in 1.35.5.

Analysis

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-8903 MEDIUM This Month

4.3 May 27

Cross-Site Request Forgery in the Two-factor Authentication (formerly IP Vault) WordPress plugin versions up to and incl

CVE-2026-9223 Monitor

4.3 May 22

Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged

CVE-2026-9246 This Week

4.3 May 22

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated

CVE-2026-9248 Monitor

2.6 May 22

Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write acce

CVE-2026-43913 vulnerability details – vuln.today

Back

Hashicorp CVE-2026-43913

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Analysis

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code