CVE-2026-43911

Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.5

Description Refresh tokens are not invalidated when a user's security stamp is rotated during security-sensitive operations, such as password changes, KDF changes, key rotation, email changes, organization administrator password resets, or emergency access takeovers. This allows an attacker with a previously obtained refresh token to maintain session access even after the user has performed actions to secure their account.

Recommendations Update to version 1.35.5.