External risk intelligence

Vaultwarden can be compromised to reveal user passwords.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-43914

Vaultwarden, a password manager, has a critical flaw where attackers can bypass login protections and guess passwords, even if you don't use 2FA. Update immediately to protect your accounts.

4Halo Surface Signal

Dani Garcia Vaultwarden

before 1.35.4

External exposure likelihood

Halo Surface Signal score for CVE-2026-43914

Vaultwarden is a password management server. These applications are commonly deployed as internet-facing web services or APIs to support remote synchronization and access for client software like browser extensions and mobile apps, making them frequently reachable from the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Vaultwarden, a Bitwarden-compatible server, allows attackers to bypass login brute-force protections if email 2FA is enabled. The issue exploits a function intended for sending 2FA emails, which can inadvertently reveal if a username and password combination is correct, enabling password guessing without rate limits. This affects users even if they haven't configured email 2FA.

Can lead to unauthorized account access.
Affects any user with email 2FA enabled.
Requires access to the login endpoint.

Attack Path

How an attacker could exploit the issue

An attacker can bypass Vaultwarden's login brute-force protection by sending requests to an unprotected API endpoint that's meant for email 2FA. This endpoint will reveal whether a username and password combination is valid, allowing an attacker to rapidly guess credentials without triggering rate limits. This attack is possible even for users without email 2FA configured.

Unauthenticated network access required.
Target the `/api/two-factor/send-email-login` endpoint.
Exploitable if email 2FA is enabled.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Vaultwarden allows attackers to bypass brute-force protection by exploiting the email 2FA function, potentially enabling them to guess credentials. Because Vaultwarden is often exposed to the internet, this could be attractive to attackers seeking to compromise user accounts for credential stuffing or further network access.

No reported exploitation in the wild.
Public exploit code is available.
Fix released in version 1.35.4.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize updating Vaultwarden to version 1.35.4 to fix a critical vulnerability that bypasses brute-force protection, allowing attackers to guess credentials. If immediate patching is not possible, implement strict rate limiting on the `/api/two-factor/send-email-login` endpoint and monitor for suspicious login attempts.

Update Vaultwarden to 1.35.4.
Rate-limit email 2FA endpoint.
Monitor login activity for anomalies.

Frequently asked questions

What is Vaultwarden and what is it used for?

Vaultwarden is a server application compatible with Bitwarden, a popular password manager. It allows users to self-host their password vaults, providing a private and customizable alternative to cloud-based services. People use it to securely store and synchronize login credentials across multiple devices and applications.

How does CVE-2026-43914 let attackers bypass security?

This vulnerability is a weakness in how Vaultwarden handles login attempts when email 2FA is enabled. A specific function, designed to send two-factor authentication emails, can be tricked into revealing whether a username and password combination is correct. This bypasses the normal brute-force protections, allowing attackers to guess passwords much faster.

What conditions are needed to exploit CVE-2026-43914?

An attacker needs to be able to send requests to Vaultwarden's `/api/two-factor/send-email-login` endpoint. The vulnerability can be triggered even if the targeted user has not configured email 2FA. The primary precondition is network access to this specific unprotected API endpoint.

Who needs to be concerned about this Vaultwarden vulnerability?

Anyone running Vaultwarden, especially if it is accessible from the internet, should be concerned. The Halo Surface Signal indicates this type of software is 'Likely' to be internet-facing, meaning external attackers could potentially exploit this weakness to gain unauthorized access to user accounts.

What is the first step to address this threat?

The most critical first step is to update Vaultwarden to version 1.35.4 or later. This update specifically contains the fix for the vulnerability that allows bypassing brute-force protections. If updating immediately isn't feasible, implementing strict rate limiting on the affected API endpoint is a temporary measure.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.