Vulnerability Description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dani-Garcia | Vaultwarden | < 1.35.4 |
Related Weaknesses (CWE)
References
- https://github.com/dani-garcia/vaultwarden/pull/6867Issue TrackingPatch
- https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.4ProductRelease Notes
- https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-c5rv-q295-7wExploitPatchVendor Advisory
- https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-c5rv-q295-7wExploitPatchVendor Advisory
FAQ
What is CVE-2026-43914?
CVE-2026-43914 is a vulnerability with a CVSS score of 7.3 (HIGH). Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is e...
How severe is CVE-2026-43914?
CVE-2026-43914 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-43914?
Check the references section above for vendor advisories and patch information. Affected products include: Dani-Garcia Vaultwarden.