Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-43914: Vaultwarden allows password brute-force attacks with 2FA
CVE-2026-43914
Summary
If you use Vaultwarden with email two-factor authentication, an attacker could try many passwords to guess your account credentials without being blocked. This vulnerability is fixed in version 1.35.4, so make sure to update to this version or later. If you don't use email 2FA, you're not directly affected, but it's still a good idea to update to the latest version for security reasons.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| dani-garcia | vaultwarden |
< 1.35.4 cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:* |
Original title
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa i...
Original description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4.
nvd CVSS3.1
7.3
Vulnerability type
CWE-307
Published: 11 May 2026 · Updated: 28 May 2026 · First seen: 11 May 2026