CVE-2026-43913
published 2026-05-11CVE-2026-43913: Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire…
PriorityP350high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
EPSS
0.27%
18.2th percentile
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, and a separate confirmation by an existing owner upgrades it to Confirmed. The POST /api/ciphers/purge endpoint uses plain Headers and only checks that the membership type is Owner without verifying that the membership status is Confirmed. An authenticated user who has been invited as an organization owner and has accepted the invite and has not yet been confirmed can call this endpoint to hard-delete all ciphers and attachments in the organization,
causing immediate organization-wide data loss. This vulnerability is fixed in 1.35.5.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dani-garcia | vaultwarden | < 1.35.5 | 1.35.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-43913 vaultwarden: Vaultwarden: Organization-wide data loss due to unconfirmed owner's ability to purge vault [fedora-all]
bugzilla·2026-05-12·CVSS 8.1
CVE-2026-43913 [HIGH] CVE-2026-43913 vaultwarden: Vaultwarden: Organization-wide data loss due to unconfirmed owner's ability to purge vault [fedora-all]
CVE-2026-43913 vaultwarden: Vaultwarden: Organization-wide data loss due to unconfirmed owner's ability to purge vault [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-43913 vaultwarden: Vaultwarden: Organization-wide data loss due to unconfirmed owner's ability to purge vault [epel-all]
bugzilla·2026-05-12·CVSS 8.1
CVE-2026-43913 [HIGH] CVE-2026-43913 vaultwarden: Vaultwarden: Organization-wide data loss due to unconfirmed owner's ability to purge vault [epel-all]
CVE-2026-43913 vaultwarden: Vaultwarden: Organization-wide data loss due to unconfirmed owner's ability to purge vault [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-43913 vaultwarden: Vaultwarden: Organization-wide data loss due to unconfirmed owner's ability to purge vault
bugzilla·2026-05-11·CVSS 8.1
CVE-2026-43913 [HIGH] CVE-2026-43913 vaultwarden: Vaultwarden: Organization-wide data loss due to unconfirmed owner's ability to purge vault
CVE-2026-43913 vaultwarden: Vaultwarden: Organization-wide data loss due to unconfirmed owner's ability to purge vault
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, and a separate confirmation by an existing owner upgrades it to Confirmed. The POST /api/ciphers/purge endpoint uses plain Headers and only checks that the membership type is Owner without verifying that the membership status is Confirmed. An authenticated user who has been invited as an organization owner and has accepted the invite and has not yet been confirmed can call this endp
2026-05-11
Published