CVE-2026-43911
Refresh Token Persistence in Vaultwarden After Security Stamp Rotation
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vaultwarden | vaultwarden | to 1.35.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Vaultwarden, a Bitwarden-compatible server. Before version 1.35.5, when a user performs security-sensitive operations such as changing their password, key derivation function (KDF), key rotation, email change, organization admin password reset, or emergency access takeover, the refresh tokens are not invalidated. This means that an attacker who has previously obtained a refresh token can continue to use it to maintain session access even after the user has taken steps to secure their account.
How can this vulnerability impact me? :
The vulnerability allows an attacker with a previously obtained refresh token to maintain unauthorized access to a user's session despite the user performing security-sensitive actions intended to secure their account. This can lead to continued unauthorized access to sensitive information stored in Vaultwarden, potentially compromising user data confidentiality and integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Vaultwarden to version 1.35.5 or later, where the issue with refresh tokens not being invalidated after security-sensitive operations is fixed.