Description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4.
Published: 2026-05-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vaultwarden, a Bitwarden-compatible server built in Rust, contains a flaw that lets an attacker bypass login brute‑force protection when email two‑factor authentication (2FA) is enabled. The send_email_login endpoint does not enforce rate‑limiting and also serves as an oracle that confirms whether a username‑password combination is valid. This enables attackers to iterate over passwords without limitation, effectively compromising accounts.

Affected Systems

Affected vendors and products include the open‑source Vaultwarden server maintained by dani‑garcia. Any installation running a version earlier than 1.35.4 is susceptible. The issue is fixed in release 1.35.4 and later; no further version information is provided by the CNA.

Risk and Exploitability

The CVSS score of 7.3 indicates a medium‑to‑high severity, and the lack of EPSS data suggests no current exploitation reports but the vulnerability could be readily abused over the network. It is inferred that the endpoint is publicly accessible and operates without prior authentication, because the CVE description indicates that the endpoint can be used as a password oracle without requiring logged‑in status. This broadens the attack surface. The vulnerability’s presence in the KEV catalog is not reported, but the risk remains significant for any organization that has not upgraded or mitigated the exposed endpoint.

Generated by OpenCVE AI on May 12, 2026 at 00:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch to upgrade to version 1.35.4 or later.
  • Restrict network access to the /api/two-factor/send-email-login endpoint by firewall or IP whitelisting until the server can be patched.
  • Regularly monitor authentication logs for repeated or suspicious password attempts, and consider additional external rate‑limiting mechanisms if necessary.

Generated by OpenCVE AI on May 12, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Dani-garcia
Dani-garcia vaultwarden
Vendors & Products Dani-garcia
Dani-garcia vaultwarden

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4.
Title Vaultwarden: Brute-force protection bypass vulnerability
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Dani-garcia Vaultwarden
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T12:51:49.183Z

Reserved: 2026-05-04T16:11:33.086Z

Link: CVE-2026-43914

cve-icon Vulnrichment

Updated: 2026-05-12T12:51:40.351Z

cve-icon NVD

Status : Received

Published: 2026-05-11T23:20:22.253

Modified: 2026-05-12T14:17:07.973

Link: CVE-2026-43914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T00:15:07Z

Weaknesses