CVE-2026-31835

Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.5

Description The WebAuthn authentication flow in the validate webauthn login() function updates persistent credential metadata, specifically the backup eligible and backup state flags, using unverified authenticatorData before signature validation occurs. An attacker possessing a user's password can permanently modify these stored backup flags even without a valid WebAuthn signature, as database updates are not rolled back upon signature verification failure. This leads to a persistent denial of service for WebAuthn two-factor authentication for the affected credentials.

Recommendations Update to version 1.35.5.