CVE-2026-43911

6.8 MEDIUM

Vaultwarden is a Bitwarden-compatible server written in Rust

Published: 2026-05-11 · Last updated: 2026-05-18

Severity and scoring

CVSS: 6.8 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-613

Affected products

Vendor	Product
dani-garcia	vaultwarden

Description

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken action to secure their account. This vulnerability is fixed in 1.35.5.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-43911
[Vendor advisory]https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-6j4w-g4jh-xjfx
[Vendor advisory]https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-6j4w-g4jh-xjfx

Related CVEs

Same CWE

CVE-2026-53843 — OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish... (8.8 HIGH)
CVE-2026-53776 — Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the u... (9.1 CRITICAL)
CVE-2026-44188 — A flaw was found in Ansible Lightspeed (5.3 MEDIUM)
CVE-2026-53830 — OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secr... (6.5 MEDIUM)
CVE-2026-53824 — OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing comm... (6.5 MEDIUM)