Vulnerability Description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken action to secure their account. This vulnerability is fixed in 1.35.5.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dani-Garcia | Vaultwarden | < 1.35.5 |
Related Weaknesses (CWE)
References
- https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-6j4w-g4jh-xjExploitMitigationVendor Advisory
- https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-6j4w-g4jh-xjExploitMitigationVendor Advisory
FAQ
What is CVE-2026-43911?
CVE-2026-43911 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (passw...
How severe is CVE-2026-43911?
CVE-2026-43911 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-43911?
Check the references section above for vendor advisories and patch information. Affected products include: Dani-Garcia Vaultwarden.