Qaz741Wsd856

**Name of the Vulnerable Software and Affected Versions** Vaultwarden versions prior to 1.35.5 **Description** Refresh tokens are not invalidated when a user's `security stamp` is rotated during security-sensitive operations, such as password changes, KDF changes, key rotation, email changes, organization administrator password resets, or emergency access takeovers. This allows an attacker with a previously obtained refresh token to maintain session access even after the user has performed actions to secure their account. **Recommendations** Update to version 1.35.5.