2FA Bypass Vulnerability in Vaultwarden by Vaultwarden
CVE-2026-27801

6MEDIUM

Key Information:

Vendor

Dani-garcia

Status
Vaultwarden
Vendor
CVE Published:
4 March 2026

What is CVE-2026-27801?

Vaultwarden, an unofficial Bitwarden-compatible server, is susceptible to a 2FA bypass in versions prior to 1.35.0. This vulnerability allows an attacker with authenticated access to exploit the bypass, leading to possible unauthorized actions including accessing sensitive user information such as API keys or deleting user vaults and organizations for which the attacker is an admin or owner. Users are urged to update to version 1.35.0 to mitigate this risk.

Affected Version(s)

vaultwarden < 1.35.0

References

https://github.com/dani-garcia/vaultwarden/security/advis...
x_refsource_CONFIRM

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.