CVE-2026-43911
published 2026-05-11CVE-2026-43911: Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by…
PriorityP351high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.22%
11.9th percentile
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken action to secure their account. This vulnerability is fixed in 1.35.5.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dani-garcia | vaultwarden | < 1.35.5 | 1.35.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-43911 vaultwarden: Vaultwarden: Session persistence due to unexpired refresh tokens after security actions [fedora-all]
bugzilla·2026-05-12·CVSS 6.8
CVE-2026-43911 [MEDIUM] CVE-2026-43911 vaultwarden: Vaultwarden: Session persistence due to unexpired refresh tokens after security actions [fedora-all]
CVE-2026-43911 vaultwarden: Vaultwarden: Session persistence due to unexpired refresh tokens after security actions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-43911 vaultwarden: Vaultwarden: Session persistence due to unexpired refresh tokens after security actions [epel-all]
bugzilla·2026-05-12·CVSS 6.8
CVE-2026-43911 [MEDIUM] CVE-2026-43911 vaultwarden: Vaultwarden: Session persistence due to unexpired refresh tokens after security actions [epel-all]
CVE-2026-43911 vaultwarden: Vaultwarden: Session persistence due to unexpired refresh tokens after security actions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-43911 vaultwarden: Vaultwarden: Session persistence due to unexpired refresh tokens after security actions
bugzilla·2026-05-11·CVSS 6.8
CVE-2026-43911 [MEDIUM] CVE-2026-43911 vaultwarden: Vaultwarden: Session persistence due to unexpired refresh tokens after security actions
CVE-2026-43911 vaultwarden: Vaultwarden: Session persistence due to unexpired refresh tokens after security actions
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken action to secure their account. This vulnerability is fixed in 1.35.5.
2026-05-11
Published