CVE-2026-43911 – Vaultwarden: Refresh tokens not invalidated on security stamp rotation

CVE ID :CVE-2026-43911

Published : May 11, 2026, 11:20 p.m. | 2 hours, 37 minutes ago

Description :Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user’s security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken action to secure their account. This vulnerability is fixed in 1.35.5.

Severity: 6.8 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-45362 – Sangoma Switchvox SIP Authentication Credential Exposure

CVE-2026-45321 – Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

CVE-2026-8349 – omec-project amf NGAP Message memory corruption

CVE-2026-8346 – D-Link DIR-816 portForward command injection