CVE-2026-43913
Received Received - Intake
Vaultwarden Organization Vault Purge via Unconfirmed Owner

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, and a separate confirmation by an existing owner upgrades it to Confirmed. The POST /api/ciphers/purge endpoint uses plain Headers and only checks that the membership type is Owner without verifying that the membership status is Confirmed. An authenticated user who has been invited as an organization owner and has accepted the invite and has not yet been confirmed can call this endpoint to hard-delete all ciphers and attachments in the organization, causing immediate organization-wide data loss. This vulnerability is fixed in 1.35.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-12
AI Q&A
2026-05-12
EPSS Evaluated
N/A
NVD
CVE-2026-43913
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vaultwarden vaultwarden to 1.35.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Vaultwarden versions prior to 1.35.5. Vaultwarden is a Bitwarden-compatible server written in Rust. The issue arises because an unconfirmed organization ownerβ€”someone who has accepted an invite to join an organization but has not yet been confirmed by an existing ownerβ€”can purge the entire organization vault.

The organization invite process involves two steps: first, a user accepts an invite, changing their membership status from Invited to Accepted; second, an existing owner confirms the user, upgrading their status to Confirmed. However, the POST /api/ciphers/purge endpoint only checks if the user is an Owner but does not verify if their membership status is Confirmed.

As a result, an authenticated user who is an unconfirmed owner can call this endpoint to hard-delete all ciphers and attachments in the organization, causing immediate and complete data loss for the organization.


How can this vulnerability impact me? :

This vulnerability can lead to immediate and total loss of all encrypted data (ciphers and attachments) stored within an organization's Vaultwarden vault. An unconfirmed organization owner with malicious intent or compromised credentials could exploit this flaw to delete all sensitive information, causing significant disruption and data loss.

The impact includes loss of critical passwords, secrets, and attachments managed by the organization, potentially affecting business operations, security posture, and trust.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in Vaultwarden version 1.35.5. To mitigate this vulnerability, you should immediately upgrade your Vaultwarden server to version 1.35.5 or later.

This update ensures that the POST /api/ciphers/purge endpoint verifies that the organization owner's membership status is Confirmed before allowing the purge operation, preventing unconfirmed owners from deleting all organization data.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart