Cyber Resilience

CVE-2026-43914

HighPublic PoC

Published: 11 May 2026

Published
11 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0029 20.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-43914 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Dani-Garcia Vaultwarden. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs,…

more

api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

Vulnerability directly bypasses rate-limiting on auth attempts via 2FA oracle endpoint, enabling password guessing/brute force (CWE-307).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43912Same product: Dani-Garcia Vaultwarden
CVE-2026-27803Same product: Dani-Garcia Vaultwarden
CVE-2026-43913Same product: Dani-Garcia Vaultwarden
CVE-2024-55225Same product: Dani-Garcia Vaultwarden
CVE-2024-55224Same product: Dani-Garcia Vaultwarden
CVE-2026-27802Same product: Dani-Garcia Vaultwarden
CVE-2025-24364Same product: Dani-Garcia Vaultwarden
CVE-2025-24365Same product: Dani-Garcia Vaultwarden
CVE-2025-25595Shared CWE-307
CVE-2026-32295Shared CWE-307

Affected Assets

dani-garcia
vaultwarden
≤ 1.35.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-307

This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.

addresses: CWE-307

Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.

References