PT-2026-39864 · Unknown · Vaultwarden

Robert-Fl

Published

2026-05-11

Updated

2026-05-12

CVE-2026-43914

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.4

Description A flaw in the login brute-force protection allows attackers to determine if a username and password combination is correct when email two-factor authentication (2FA) is enabled. The API endpoint "/api/two-factor/send-email-login" and its associated function send email login() act as an oracle, enabling password brute-forcing without rate-limiting. This issue affects all users, including those who have not configured email 2FA.

Recommendations Update to version 1.35.4.

Exploit

Fix

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-307

Related Identifiers

CVE-2026-43914

Affected Products

Vaultwarden

PT-2026-39864 · Unknown · Vaultwarden

CVE-2026-43914

Weakness Enumeration

Related Identifiers

Affected Products

References · 6