ZeroPath at Black Hat USA 2026

Quick Look: Vaultwarden CVE-2026-43914 — Brute Force Protection Bypass via Email 2FA Oracle

A brief summary of CVE-2026-43914, a high severity brute force protection bypass in Vaultwarden that leverages an unprotected email 2FA endpoint as a credential oracle.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-11

Quick Look: Vaultwarden CVE-2026-43914 — Brute Force Protection Bypass via Email 2FA Oracle
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing rate limit on a single API endpoint in Vaultwarden allows attackers to brute force user passwords with zero throttling, turning an email two factor authentication feature into a credential verification oracle. For the many organizations and individuals who self host Vaultwarden as their password manager backend, this flaw (CVE-2026-43914, CVSS 7.3) quietly undermines one of the most fundamental protections against online password guessing attacks.

Vaultwarden is an unofficial, Bitwarden compatible server written in Rust, originally known as bitwarden_rs. It is widely adopted in the self hosting community and by organizations seeking a lightweight, on premises alternative to the official Bitwarden server stack while retaining full compatibility with all Bitwarden client applications. Its popularity makes this vulnerability relevant to a broad segment of the password management ecosystem.

Technical Information

Root Cause

The vulnerability exists in the send_email_login function, which serves the /api/two-factor/send-email-login API endpoint. Vaultwarden's standard authentication paths, including _sso_login, _password_login, and _api_key_login, are all protected by a check_limit_login function that enforces rate limiting on failed login attempts. The email 2FA login endpoint, however, was not wrapped with this same protection.

This omission alone would be a rate limiting gap, but the real severity comes from the endpoint's differential response behavior. The server returns distinct HTTP status codes and messages depending on the validity of the submitted credentials:

Credential StatusResponse CodeResponse MessageAttacker Implication
Correct credentials200 or 400"Two factor not found" (if 400)Password confirmed valid
Incorrect credentials400"Username or password is incorrect"Password confirmed invalid
Email 2FA disabled400"Email 2FA is disabled"Oracle not exploitable

This pattern transforms the endpoint into a reliable authentication oracle. An attacker can submit unlimited password guesses and immediately determine correctness from the response, with no lockout, no delay, and no alerting through the normal brute force detection path.

Attack Flow

  1. The attacker identifies an internet exposed Vaultwarden instance and confirms that email 2FA is enabled at the server level.
  2. The attacker selects a target email address (username) registered on the instance.
  3. For each candidate password, the attacker computes the master password hash using PBKDF2 with 600000 iterations (matching Vaultwarden's expected format).
  4. The attacker sends a POST request to /api/two-factor/send-email-login with the target email, the computed hash, and a dummy device identifier.
  5. The attacker inspects the HTTP response. A response of "Username or password is incorrect" means the guess was wrong; a 200 response or "Two factor not found" confirms the password is correct.
  6. This process repeats at an unlimited rate until the correct password is found.

Scope

A critical nuance: this vulnerability affects all users on a Vaultwarden instance where email 2FA is enabled at the server level. Individual users do not need to have email 2FA configured on their own accounts to be vulnerable. The mere availability of the feature at the server configuration level exposes the oracle endpoint.

The vulnerability is classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). The attack vector is network based, attack complexity is low, no privileges are required, and no user interaction is needed.

Affected Systems and Versions

All Vaultwarden versions prior to 1.35.4 are affected when email 2FA is enabled at the server level. The vulnerability is fixed in version 1.35.4.

Specifically:

  • Vulnerable: Vaultwarden versions before 1.35.4 with email 2FA enabled
  • Not vulnerable: Vaultwarden 1.35.4 and later
  • Not exploitable: Instances where email 2FA is disabled at the server level (regardless of version)

Vendor Security History

The Vaultwarden 1.35.4 release bundled fixes for multiple security advisories, indicating a coordinated security response:

AdvisoryIssue Description
GHSA-c5rv-q295-7w4g (CVE-2026-43914)Brute force protection bypass via email 2FA oracle
GHSA-w9f8-m526-h7fhUnauthorized cipher access via known UUID
GHSA-h4hq-rgvh-wh27Manager level unauthorized collection modification
GHSA-r32r-j5jq-3w4mManager level modification of unassigned collections

Additionally, CVE-2026-33420, affecting the get_org_collections_details endpoint, impacts version 1.35.4 and earlier. Organizations should monitor for subsequent releases addressing that issue as well.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization