CVE-2026-43913
Received Received - Intake
Vaultwarden Organization Vault Purge via Unconfirmed Owner

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, and a separate confirmation by an existing owner upgrades it to Confirmed. The POST /api/ciphers/purge endpoint uses plain Headers and only checks that the membership type is Owner without verifying that the membership status is Confirmed. An authenticated user who has been invited as an organization owner and has accepted the invite and has not yet been confirmed can call this endpoint to hard-delete all ciphers and attachments in the organization, causing immediate organization-wide data loss. This vulnerability is fixed in 1.35.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43913
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vaultwarden vaultwarden to 1.35.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Vaultwarden versions prior to 1.35.5. Vaultwarden is a Bitwarden-compatible server written in Rust. The issue arises because an unconfirmed organization ownerβ€”someone who has accepted an invite to join an organization but has not yet been confirmed by an existing ownerβ€”can purge the entire organization vault.

The organization invite process involves two steps: first, a user accepts an invite, changing their membership status from Invited to Accepted; second, an existing owner confirms the user, upgrading their status to Confirmed. However, the POST /api/ciphers/purge endpoint only checks if the user is an Owner but does not verify if their membership status is Confirmed.

As a result, an authenticated user who is an unconfirmed owner can call this endpoint to hard-delete all ciphers and attachments in the organization, causing immediate and complete data loss for the organization.

Impact Analysis

This vulnerability can lead to immediate and total loss of all encrypted data (ciphers and attachments) stored within an organization's Vaultwarden vault. An unconfirmed organization owner with malicious intent or compromised credentials could exploit this flaw to delete all sensitive information, causing significant disruption and data loss.

The impact includes loss of critical passwords, secrets, and attachments managed by the organization, potentially affecting business operations, security posture, and trust.

Mitigation Strategies

The vulnerability is fixed in Vaultwarden version 1.35.5. To mitigate this vulnerability, you should immediately upgrade your Vaultwarden server to version 1.35.5 or later.

This update ensures that the POST /api/ciphers/purge endpoint verifies that the organization owner's membership status is Confirmed before allowing the purge operation, preventing unconfirmed owners from deleting all organization data.

Compliance Impact

This vulnerability allows an unconfirmed organization owner to purge the entire organization vault, causing immediate organization-wide data loss.

Such unauthorized data deletion could impact compliance with data protection regulations like GDPR and HIPAA, which require organizations to ensure the integrity and availability of sensitive data.

However, the provided information does not explicitly discuss compliance implications or how this vulnerability affects adherence to these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43913. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart