CVE-2026-43913

Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.5

Description Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The issue exists because the 'POST /api/ciphers/purge' endpoint verifies that a user has the Owner membership type but fails to verify that the membership status is Confirmed. Consequently, an authenticated user who has accepted an organization owner invite but has not yet been confirmed by an existing owner can call this endpoint to permanently delete all ciphers and attachments within the organization, leading to immediate data loss.

Recommendations Update to version 1.35.5.