CVE-2026-43914

EUVD-2026-29342

11.05.2026, 23:20

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	7.3 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 10%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
dani-garcia	vaultwarden	𝑥 < 1.35.4	CNA

Common Weakness Enumeration

CWE-307 - Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

Vulnerability Media Exposure

[GERMAN] Vaultwarden: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Vaultwarden ausnutzen, um Sicherheitsvorkehrungen zu umgehen, um einen Denial of Service Angriff durchzuführen, und um Informationen offenzulegen.
Published: 2026-04-26T22:00:00+00:00

References

https://github.com/dani-garcia/vaultwarden/pull/6867

https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.4

https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-c5rv-q295-7w4g