Description
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can exploit this bypass to perform protected actions such as accessing the user’s API key or deleting the user’s vault and organisations the user is an admin/owner of . This issue has been patched in version 1.35.0.
Published: 2026-03-04
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: 2FA bypass allowing privileged actions such as accessing API keys and deleting vaults
Action: Apply Patch
AI Analysis

Impact

Vaultwarden, an unofficial Bitwarden-compatible server, contains a flaw that permits a two‑factor authentication bypass during protected operations. After an attacker gains authenticated access to a user account, the system fails to enforce rate limiting, enabling the attacker to execute privileged actions that normally require 2FA, including retrieving API keys and deleting the victim’s vault and associated organisations. The vulnerability is a classic authentication bypass (CWE‑307) which directly undermines the confidentiality and integrity of user data.

Affected Systems

The issue affects all instances of Vaultwarden version 1.34.3 and earlier. The vendor, dani‑garcia, has released version 1.35.0 which addresses the problem. Users running older versions are therefore exposed.

Risk and Exploitability

The CVSS score of 6 indicates a moderate severity, and the EPSS score of less than 1% suggests that exploitation attempts are unlikely to be widespread, especially since the attacker must already possess authenticated credentials. The vulnerability is not listed in the CISA KEV catalog, but it still poses a significant risk to accounts with high privilege, as the bypass allows full control over sensitive data and account structure. The attack vector is inferred to be remote, requiring prior authentication; attackers could obtain credentials through phishing, credential stuffing, or other enumeration techniques, after which the rate‑limit flaw can be leveraged to bypass 2FA requirements.

Generated by OpenCVE AI on April 16, 2026 at 13:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Vaultwarden 1.35.0 or later to remove the 2FA bypass
  • After upgrading, verify that rate limiting is active for protected endpoints and that no privileged actions proceed without valid 2FA tokens
  • Continuously monitor audit logs for unauthorized attempts to perform protected actions and review any accounts where 2FA was disabled or bypassed

Generated by OpenCVE AI on April 16, 2026 at 13:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v6pg-v89r-w8wr Vaultwarden has 2FA Bypass on Protected Actions due to Faulty Rate Limit Enforcement
History

Fri, 06 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Dani-garcia
Dani-garcia vaultwarden
Vendors & Products Dani-garcia
Dani-garcia vaultwarden

Wed, 04 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can exploit this bypass to perform protected actions such as accessing the user’s API key or deleting the user’s vault and organisations the user is an admin/owner of . This issue has been patched in version 1.35.0.
Title Vaultwarden: 2FA Bypass on Protected Actions due to Faulty Rate Limit Enforcement
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Dani-garcia Vaultwarden
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-05T15:30:50.274Z

Reserved: 2026-02-24T02:31:33.266Z

Link: CVE-2026-27801

cve-icon Vulnrichment

Updated: 2026-03-05T15:30:41.252Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T22:16:17.897

Modified: 2026-03-06T19:45:34.347

Link: CVE-2026-27801

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-04T21:32:14Z

Links: CVE-2026-27801 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:15:06Z

Weaknesses