CVE-2026-43914
Received Received - Intake
Brute-force Protection Bypass in Vaultwarden

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43914
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vaultwarden vaultwarden to 1.35.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Vaultwarden allows an attacker to bypass login brute-force protection when email 2FA is enabled, enabling password brute-forcing without rate-limiting. This could lead to unauthorized access to user accounts, potentially exposing sensitive personal or health information.

Such unauthorized access risks violating common standards and regulations like GDPR and HIPAA, which require protecting user data confidentiality and implementing strong authentication controls.

Therefore, until the vulnerability is fixed (in version 1.35.4), affected Vaultwarden deployments may be non-compliant with these regulations due to insufficient protection against brute-force attacks.

Executive Summary

This vulnerability exists in Vaultwarden versions prior to 1.35.4. It allows an attacker to bypass the login brute-force protection when email two-factor authentication (2FA) is enabled. Specifically, the unprotected 2FA function send_email_login (located in email.rs and accessible via the API endpoint /api/two-factor/send-email-login) can be used as an oracle to verify if a username-password combination is correct.

An attacker can abuse this endpoint to perform brute-force password attacks without any rate-limiting, even against users who do not have email 2FA configured. This means the usual protections against repeated login attempts are ineffective in this scenario.

The vulnerability was fixed in Vaultwarden version 1.35.4.

Impact Analysis

This vulnerability can allow attackers to brute-force user passwords without being limited by typical rate-limiting protections. As a result, attackers may gain unauthorized access to user accounts by systematically guessing passwords.

Such unauthorized access can lead to exposure of sensitive information stored in Vaultwarden, including passwords and other confidential data.

The vulnerability affects the confidentiality, integrity, and availability of the system, as indicated by its CVSS score of 7.3 with impacts on confidentiality, integrity, and availability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Vaultwarden to version 1.35.4 or later, where the issue is fixed.

Until the upgrade is applied, consider disabling email 2FA to prevent abuse of the unprotected send_email_login endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43914. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart