CVE-2026-31835
WebAuthn Authentication Bypass in Vaultwarden
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vaultwarden | vaultwarden | to 1.35.5 (exc) |
| vaultwarden | vaultwarden | 1.35.5 |
| dani-garcia | vaultwarden | 1.35.4 |
| dani-garcia | vaultwarden | to 1.35.5 (exc) |
| dani-garcia | vaultwarden | 1.35.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Vaultwarden versions 1.35.4 and earlier in the WebAuthn authentication flow. Specifically, the function validate_webauthn_login() updates persistent credential metadata flags (backup_eligible and backup_state) based on unverified authenticatorData before verifying the WebAuthn signature.
An attacker who knows a user's password but cannot produce a valid WebAuthn signature can exploit this flaw to permanently modify the stored backup flags for that user's credential. Because the database update is not rolled back if signature verification fails, this can cause a persistent denial of service for WebAuthn two-factor authentication on affected credentials.
The issue is caused by insufficient verification of data authenticity (CWE-345) and has been fixed in Vaultwarden version 1.35.5.
How can this vulnerability impact me? :
This vulnerability can lead to a persistent denial of service of WebAuthn two-factor authentication for affected user credentials.
An attacker who knows a user's password but cannot produce a valid WebAuthn signature can still modify the backup flags in the credential metadata, effectively disabling the user's ability to use WebAuthn 2FA.
This reduces the security of the affected accounts by preventing the use of a strong second factor, potentially increasing the risk of unauthorized access if other authentication factors are compromised.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should immediately update Vaultwarden to version 1.35.5 or later, where the issue has been fixed.
The update includes critical security fixes that prevent unauthorized modification of WebAuthn credential metadata and improve overall security, including invalidation of old Two-Factor Authentication remember tokens.
Applying this update will prevent attackers from causing a persistent denial of service of WebAuthn two-factor authentication by tampering with backup flags.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-31835 impacts compliance with common standards and regulations such as GDPR or HIPAA.