CVE-2026-27801

Name of the Vulnerable Software and Affected Versions Vaultwarden versions 1.34.3 and prior

Description Vaultwarden, a Bitwarden compatible server, is susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can exploit this bypass to perform actions such as accessing the user’s API key or deleting the user’s vault and organizations the user is an admin/owner of. The issue stems from incorrect persistence of attempt counts during one-time passcode (OTP) validation. The validate protected action otp function increments the attempt count locally but does not update the stored value, allowing an attacker to bypass the rate limit. The OTP is only six digits long, making it vulnerable to brute-force attacks, which can be successful with a request throughput of up to 2500 requests per second. The vulnerability allows an attacker to repeatedly request OTPs and attempt to guess the code without being blocked by the rate limit.

Recommendations Versions prior to 1.35.0 are affected. Update to version 1.35.0 or later to resolve this issue.