Introduction
A missing rate limit on a single API endpoint in Vaultwarden allows attackers to brute force user passwords with zero throttling, turning an email two factor authentication feature into a credential verification oracle. For the many organizations and individuals who self host Vaultwarden as their password manager backend, this flaw (CVE-2026-43914, CVSS 7.3) quietly undermines one of the most fundamental protections against online password guessing attacks.
Vaultwarden is an unofficial, Bitwarden compatible server written in Rust, originally known as bitwarden_rs. It is widely adopted in the self hosting community and by organizations seeking a lightweight, on premises alternative to the official Bitwarden server stack while retaining full compatibility with all Bitwarden client applications. Its popularity makes this vulnerability relevant to a broad segment of the password management ecosystem.
Technical Information
Root Cause
The vulnerability exists in the send_email_login function, which serves the /api/two-factor/send-email-login API endpoint. Vaultwarden's standard authentication paths, including _sso_login, _password_login, and _api_key_login, are all protected by a check_limit_login function that enforces rate limiting on failed login attempts. The email 2FA login endpoint, however, was not wrapped with this same protection.
This omission alone would be a rate limiting gap, but the real severity comes from the endpoint's differential response behavior. The server returns distinct HTTP status codes and messages depending on the validity of the submitted credentials:
| Credential Status | Response Code | Response Message | Attacker Implication |
|---|---|---|---|
| Correct credentials | 200 or 400 | "Two factor not found" (if 400) | Password confirmed valid |
| Incorrect credentials | 400 | "Username or password is incorrect" | Password confirmed invalid |
| Email 2FA disabled | 400 | "Email 2FA is disabled" | Oracle not exploitable |
This pattern transforms the endpoint into a reliable authentication oracle. An attacker can submit unlimited password guesses and immediately determine correctness from the response, with no lockout, no delay, and no alerting through the normal brute force detection path.
Attack Flow
- The attacker identifies an internet exposed Vaultwarden instance and confirms that email 2FA is enabled at the server level.
- The attacker selects a target email address (username) registered on the instance.
- For each candidate password, the attacker computes the master password hash using PBKDF2 with 600000 iterations (matching Vaultwarden's expected format).
- The attacker sends a POST request to
/api/two-factor/send-email-loginwith the target email, the computed hash, and a dummy device identifier. - The attacker inspects the HTTP response. A response of "Username or password is incorrect" means the guess was wrong; a 200 response or "Two factor not found" confirms the password is correct.
- This process repeats at an unlimited rate until the correct password is found.
Scope
A critical nuance: this vulnerability affects all users on a Vaultwarden instance where email 2FA is enabled at the server level. Individual users do not need to have email 2FA configured on their own accounts to be vulnerable. The mere availability of the feature at the server configuration level exposes the oracle endpoint.
The vulnerability is classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). The attack vector is network based, attack complexity is low, no privileges are required, and no user interaction is needed.
Affected Systems and Versions
All Vaultwarden versions prior to 1.35.4 are affected when email 2FA is enabled at the server level. The vulnerability is fixed in version 1.35.4.
Specifically:
- Vulnerable: Vaultwarden versions before 1.35.4 with email 2FA enabled
- Not vulnerable: Vaultwarden 1.35.4 and later
- Not exploitable: Instances where email 2FA is disabled at the server level (regardless of version)
Vendor Security History
The Vaultwarden 1.35.4 release bundled fixes for multiple security advisories, indicating a coordinated security response:
| Advisory | Issue Description |
|---|---|
| GHSA-c5rv-q295-7w4g (CVE-2026-43914) | Brute force protection bypass via email 2FA oracle |
| GHSA-w9f8-m526-h7fh | Unauthorized cipher access via known UUID |
| GHSA-h4hq-rgvh-wh27 | Manager level unauthorized collection modification |
| GHSA-r32r-j5jq-3w4m | Manager level modification of unassigned collections |
Additionally, CVE-2026-33420, affecting the get_org_collections_details endpoint, impacts version 1.35.4 and earlier. Organizations should monitor for subsequent releases addressing that issue as well.



