WebAuthn Authentication Flaw in Vaultwarden Affects User Credentials
CVE-2026-31835

5.3MEDIUM

Key Information:

Vendor: Dani-garcia
Status: Vaultwarden
Vendor: CVE Published:; 5 May 2026

🔔 Create Dani-garcia Vulnerability Alert

What is CVE-2026-31835?

A vulnerability in Vaultwarden, a Bitwarden-compatible server, affects the WebAuthn authentication process. In versions 1.35.4 and earlier, the validate_webauthn_login() function improperly updates persistent credential metadata based on unverified authenticatorData before confirming the validity of the signature. This allows an attacker who knows a user's password, but cannot provide a valid WebAuthn signature, to permanently change the backup flags for that user's credential. When signature verification fails, the database update is not rolled back, potentially causing a persistent denial of service for WebAuthn two-factor authentication for affected users. This vulnerability poses significant risks to credential security and user access, and has been resolved in version 1.35.5.

Affected Version(s)

vaultwarden < 1.35.5

References

https://github.com/dani-garcia/vaultwarden/security/advis...

x_refsource_CONFIRM

https://github.com/dani-garcia/vaultwarden/releases/tag/1...

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31835 Data

JSON