Vaultwarden implements a Bitwarden‑compatible protocol but has a flaw that refresh tokens are not invalidated when a user’s security stamp changes. This failure allows an attacker who already possesses a refresh token to continue accessing the victim’s vault even after the account has been protected by changing passwords, key derivation functions, or resetting emergency access. Classified as CWE‑613, the vulnerability reflects a failure to maintain user session integrity. The primary impact is that attackers can retain unauthorized access to all stored secrets for as long as the stolen token remains valid.

The flaw affects every deployment of Vaultwarden released by dani‑garcia before version 1.35.5. All releases prior to 1.35.5 contain the bug; versions 1.35.5 and newer include the fix. Any server running a vulnerable version remains exposed until it is upgraded.

The CVSS score of 6.8 indicates moderate severity, while the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, so current exploitation likelihood is unclear. Based on the description, it is inferred that an attacker must already possess a valid refresh token; no additional network interaction with the server is required. Thus, scenarios such as credential theft, phishing, or data leakage that yield a token enable exploitation. If an adversary acquires a stream of refresh tokens, they can maintain long‑term access and potentially exfiltrate sensitive vault data.