CVE-2026-43914
Published: 11 May 2026
Summary
CVE-2026-43914 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 10.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.
Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly bypasses rate-limiting on auth attempts via 2FA oracle endpoint, enabling password guessing/brute force (CWE-307).
NVD Description
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs,…
more
api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)