CVE-2026-31835
Analyzed Analyzed - Analysis Complete
WebAuthn Authentication Bypass in Vaultwarden

Publication date: 2026-05-05

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified `authenticatorData` before signature validation is performed. An attacker who knows a user's password but cannot produce a valid WebAuthn signature can permanently modify the stored backup flags for that user's credential. If signature verification fails, the database update is not rolled back. This can result in a persistent denial of service of WebAuthn two-factor authentication for affected credentials. This issue has been fixed in version 1.35.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31835
EUVD
EUVD-2026-27424
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dani-garcia vaultwarden to 1.35.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Vaultwarden versions 1.35.4 and earlier in the WebAuthn authentication flow. Specifically, the function validate_webauthn_login() updates persistent credential metadata flags (backup_eligible and backup_state) based on unverified authenticatorData before verifying the WebAuthn signature.

An attacker who knows a user's password but cannot produce a valid WebAuthn signature can exploit this flaw to permanently modify the stored backup flags for that user's credential. Because the database update is not rolled back if signature verification fails, this can cause a persistent denial of service for WebAuthn two-factor authentication on affected credentials.

The issue is caused by insufficient verification of data authenticity (CWE-345) and has been fixed in Vaultwarden version 1.35.5.

Impact Analysis

This vulnerability can lead to a persistent denial of service of WebAuthn two-factor authentication for affected user credentials.

An attacker who knows a user's password but cannot produce a valid WebAuthn signature can still modify the backup flags in the credential metadata, effectively disabling the user's ability to use WebAuthn 2FA.

This reduces the security of the affected accounts by preventing the use of a strong second factor, potentially increasing the risk of unauthorized access if other authentication factors are compromised.

Mitigation Strategies

To mitigate this vulnerability, you should immediately update Vaultwarden to version 1.35.5 or later, where the issue has been fixed.

The update includes critical security fixes that prevent unauthorized modification of WebAuthn credential metadata and improve overall security, including invalidation of old Two-Factor Authentication remember tokens.

Applying this update will prevent attackers from causing a persistent denial of service of WebAuthn two-factor authentication by tampering with backup flags.

Compliance Impact

The provided information does not specify how CVE-2026-31835 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31835. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart