CVE-2026-43914 – Vaultwarden: Brute-force protection bypass vulnerability

CVE ID :CVE-2026-43914

Published : May 11, 2026, 11:20 p.m. | 2 hours, 37 minutes ago

Description :Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don’t have email 2fa configured. This vulnerability is fixed in 1.35.4.

Severity: 7.3 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-45362 – Sangoma Switchvox SIP Authentication Credential Exposure

CVE-2026-45321 – Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

CVE-2026-8349 – omec-project amf NGAP Message memory corruption

CVE-2026-8346 – D-Link DIR-816 portForward command injection