CVE-2026-43914

Published: Mag 12, 2026 Last Modified: Mag 12, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: low
Availability: low

Description

AI Translation Available

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4.

307

Improper Restriction of Excessive Authentication Attempts

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism
Applicable Platforms
All platforms may be affected
View CWE Details
https://github.com/dani-garcia/vaultwarden/pull/6867
https://github.com/dani-garcia/vaultwarden/pull/6867
https://github.com/dani-garcia/vaultwarden/releases/tag/1.3…
https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.4
https://github.com/dani-garcia/vaultwarden/security/advisor…
https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-c5rv-q295-7…