Vulnerability in Dani-garcia Vaultwarden

CVE-2026-27801

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authen…

EPSS: 0.000 (2.8th percentile) — read the EPSS interpretation.

Affected products

Dani-garcia Vaultwarden — versions < 1.35.0

Weakness classification (CWE)

CWE-307 — Improper Restriction of Excessive Authentication Attempts

References

https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-v6pg-v89r-w8wr (x_refsource_CONFIRM)