Description
Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified `authenticatorData` before signature validation is performed. An attacker who knows a user's password but cannot produce a valid WebAuthn signature can permanently modify the stored backup flags for that user's credential. If signature verification fails, the database update is not rolled back. This can result in a persistent denial of service of WebAuthn two-factor authentication for affected credentials. This issue has been fixed in version 1.35.5.
Published: 2026-05-05
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Vaultwarden versions 1.35.4 and earlier, the WebAuthn login flow updates credential backup flags in persistent storage before it validates the WebAuthn signature. If an attacker knows a user’s password but cannot produce a valid WebAuthn signature, the update proceeds and the signature check fails, leaving the credential permanently marked as non‑backupable. The affected flags are not rolled back on signature failure, resulting in a durable loss of WebAuthn two‑factor protection for that credential. This flaw falls under CWE‑345, which deals with authenticated data tampering before proper verification.

Affected Systems

The vulnerability impacts the Vaultwarden server developed by dani‑garcia. All releases up to and including 1.35.4 are affected; the issue was addressed in version 1.35.5. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. Although the EPSS score is not provided and the vulnerability is not listed in the CISA KEV catalog, the attack model is relatively low effort: an attacker who possesses a user’s password can trigger the flag modification without needing a WebAuthn device. The potential impact is permanent denial of a critical authentication factor for the affected user, thereby reducing account security. The risk is primarily limited to individuals who already have a valid account password and can perform API or web login attempts with invalid WebAuthn data.

Generated by OpenCVE AI on May 5, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vaultwarden to version 1.35.5 or later if possible.
  • If an upgrade is not immediately feasible, disable the WebAuthn two‑factor method for affected users or reset the backup flags manually in the database to restore the default state.
  • As a temporary workaround, consider removing the compromised credentials from the server or forcing users to re‑create credentials with updated metadata.
  • Monitor login records for repeated WebAuthn signature failures, as these may indicate exploitation attempts.

Generated by OpenCVE AI on May 5, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Dani-garcia
Dani-garcia vaultwarden
Vendors & Products Dani-garcia
Dani-garcia vaultwarden

Tue, 05 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified `authenticatorData` before signature validation is performed. An attacker who knows a user's password but cannot produce a valid WebAuthn signature can permanently modify the stored backup flags for that user's credential. If signature verification fails, the database update is not rolled back. This can result in a persistent denial of service of WebAuthn two-factor authentication for affected credentials. This issue has been fixed in version 1.35.5.
Title Vaultwarden WebAuthn credential metadata tampered before signature verification
Weaknesses CWE-345
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Dani-garcia Vaultwarden
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T18:51:35.457Z

Reserved: 2026-03-09T17:41:56.078Z

Link: CVE-2026-31835

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T19:16:21.733

Modified: 2026-05-05T19:16:21.733

Link: CVE-2026-31835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T20:30:31Z

Weaknesses