Bypass in Two-Factor Authentication Functionality in Vaultwarden from dani-garcia
CVE-2026-43914

7.3HIGH

Key Information:

Vendor

Dani-garcia

Status
Vaultwarden
Vendor
CVE Published:
11 May 2026

What is CVE-2026-43914?

A security flaw in Vaultwarden prior to version 1.35.4 allows attackers to bypass login brute-force protections when email two-factor authentication (2FA) is enabled. This vulnerability exposes the '/api/two-factor/send-email-login' endpoint as an oracle, letting attackers determine the validity of usernames without triggering rate-limiting. Consequently, even users without email 2FA configured face potential security threats as their accounts could be exploited through brute-force attacks. This issue has been resolved in version 1.35.4.

Affected Version(s)

vaultwarden < 1.35.4

References

https://github.com/dani-garcia/vaultwarden/security/advis...
x_refsource_CONFIRM
https://github.com/dani-garcia/vaultwarden/pull/6867
x_refsource_MISC
https://github.com/dani-garcia/vaultwarden/releases/tag/1...
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.