CVE-2026-43911
Received Received - Intake
Refresh Token Persistence in Vaultwarden After Security Stamp Rotation

Publication date: 2026-05-11

Last updated on: 2026-05-18

Assigner: GitHub, Inc.

Description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken action to secure their account. This vulnerability is fixed in 1.35.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-18
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43911
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dani-garcia vaultwarden to 1.35.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken security-sensitive actions to secure their account, such as password changes or key rotations.

Such unauthorized persistent access could lead to unauthorized data exposure or modification, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and timely revocation of credentials after security events.

However, specific impacts on compliance are not detailed in the provided information.

Executive Summary

This vulnerability affects Vaultwarden, a Bitwarden-compatible server. Before version 1.35.5, when a user performs security-sensitive operations such as changing their password, key derivation function (KDF), key rotation, email change, organization admin password reset, or emergency access takeover, the refresh tokens are not invalidated. This means that an attacker who has previously obtained a refresh token can continue to use it to maintain session access even after the user has taken steps to secure their account.

Impact Analysis

The vulnerability allows an attacker with a previously obtained refresh token to maintain unauthorized access to a user's session despite the user performing security-sensitive actions intended to secure their account. This can lead to continued unauthorized access to sensitive information stored in Vaultwarden, potentially compromising user data confidentiality and integrity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Vaultwarden to version 1.35.5 or later, where the issue with refresh tokens not being invalidated after security-sensitive operations is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43911. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart