Refresh Token Vulnerability in Vaultwarden by Dan Garcia
CVE-2026-43911

6.8MEDIUM

Key Information:

Vendor

Dani-garcia

Status
Vaultwarden
Vendor
CVE Published:
11 May 2026

What is CVE-2026-43911?

Vaultwarden, a Bitwarden-compatible server, has a session management flaw where refresh tokens remain valid even after significant security actions are performed by the user. This flaw can allow an attacker with a compromised refresh token to retain access to a user's session despite changes such as password updates or security settings modifications. This vulnerability has been addressed in version 1.35.5, ensuring that refresh tokens are invalidated appropriately during sensitive operations to enhance user security.

Affected Version(s)

vaultwarden < 1.35.5

References

https://github.com/dani-garcia/vaultwarden/security/advis...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.