Unauthorized Purge Capability in Vaultwarden Affects Data Integrity
CVE-2026-43913

8.1HIGH

Key Information:

Vendor: Dani-garcia
Status: Vaultwarden
Vendor: CVE Published:; 11 May 2026

🔔 Create Dani-garcia Vulnerability Alert

What is CVE-2026-43913?

Vaultwarden, a Bitwarden-compatible password manager server, contains a significant security flaw that allows unauthorized organization owners to purge the entire organization vault. This vulnerability arises from the absence of adequate verification processes in the organization invite flow. An invited owner, upon acceptance of their invite but before achieving 'Confirmed' status, can exploit the POST /api/ciphers/purge endpoint to permanently delete all ciphers and attachments, jeopardizing sensitive data and leading to instant organization-wide data loss. The issue has been rectified in version 1.35.5.

Affected Version(s)

vaultwarden < 1.35.5

References

https://github.com/dani-garcia/vaultwarden/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43913 Data

JSON