Cyber Resilience

CVE-2026-43913

HighPublic PoC

Published: 11 May 2026

Published
11 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0027 18.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-43913 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Dani-Garcia Vaultwarden. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted,…

more

and a separate confirmation by an existing owner upgrades it to Confirmed. The POST /api/ciphers/purge endpoint uses plain Headers and only checks that the membership type is Owner without verifying that the membership status is Confirmed. An authenticated user who has been invited as an organization owner and has accepted the invite and has not yet been confirmed can call this endpoint to hard-delete all ciphers and attachments in the organization, causing immediate organization-wide data loss. This vulnerability is fixed in 1.35.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Authorization bypass on purge endpoint directly enables unauthorized hard deletion of all organization vault data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27802Same product: Dani-Garcia Vaultwarden
CVE-2026-27803Same product: Dani-Garcia Vaultwarden
CVE-2026-43912Same product: Dani-Garcia Vaultwarden
CVE-2026-43914Same product: Dani-Garcia Vaultwarden
CVE-2024-55225Same product: Dani-Garcia Vaultwarden
CVE-2024-55224Same product: Dani-Garcia Vaultwarden
CVE-2025-24364Same product: Dani-Garcia Vaultwarden
CVE-2025-24365Same product: Dani-Garcia Vaultwarden
CVE-2026-35653Shared CWE-863
CVE-2025-24233Shared CWE-863

Affected Assets

dani-garcia
vaultwarden
≤ 1.35.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-863

Periodic review and update of procedures reduces incorrect authorization implementations over time.

addresses: CWE-863

Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.

addresses: CWE-863

Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.

addresses: CWE-863

The authorization process and usage restrictions help prevent incorrect authorization for remote access types.

addresses: CWE-863

Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.

addresses: CWE-863

Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.

addresses: CWE-863

Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.

addresses: CWE-863

Ensures authorization decisions for external system use are correctly implemented and enforced.

References