CVE-2026-43914
Received Received - Intake
Brute-force Protection Bypass in Vaultwarden

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-12
AI Q&A
2026-05-12
EPSS Evaluated
N/A
NVD
CVE-2026-43914
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vaultwarden vaultwarden to 1.35.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Vaultwarden versions prior to 1.35.4. It allows an attacker to bypass the login brute-force protection when email two-factor authentication (2FA) is enabled. Specifically, the unprotected 2FA function send_email_login (located in email.rs and accessible via the API endpoint /api/two-factor/send-email-login) can be used as an oracle to verify if a username-password combination is correct.

An attacker can abuse this endpoint to perform brute-force password attacks without any rate-limiting, even against users who do not have email 2FA configured. This means the usual protections against repeated login attempts are ineffective in this scenario.

The vulnerability was fixed in Vaultwarden version 1.35.4.


How can this vulnerability impact me? :

This vulnerability can allow attackers to brute-force user passwords without being limited by typical rate-limiting protections. As a result, attackers may gain unauthorized access to user accounts by systematically guessing passwords.

Such unauthorized access can lead to exposure of sensitive information stored in Vaultwarden, including passwords and other confidential data.

The vulnerability affects the confidentiality, integrity, and availability of the system, as indicated by its CVSS score of 7.3 with impacts on confidentiality, integrity, and availability.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Vaultwarden to version 1.35.4 or later, where the issue is fixed.

Until the upgrade is applied, consider disabling email 2FA to prevent abuse of the unprotected send_email_login endpoint.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart