{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27801", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:31:33.266Z", "datePublished": "2026-03-04T21:32:14.614Z", "dateUpdated": "2026-03-05T15:30:50.274Z"}, "containers": {"cna": {"title": "Vaultwarden: 2FA Bypass on Protected Actions due to Faulty Rate Limit Enforcement", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-v6pg-v89r-w8wr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-v6pg-v89r-w8wr"}], "affected": [{"vendor": "dani-garcia", "product": "vaultwarden", "versions": [{"version": "< 1.35.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T21:32:14.614Z"}, "descriptions": [{"lang": "en", "value": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user\u2019s account can exploit this bypass to perform protected actions such as accessing the user\u2019s API key or deleting the user\u2019s vault and organisations the user is an admin/owner of . This issue has been patched in version 1.35.0."}], "source": {"advisory": "GHSA-v6pg-v89r-w8wr", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-v6pg-v89r-w8wr", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T15:30:47.611803Z", "id": "CVE-2026-27801", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:30:50.274Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27801", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-05T15:30:47.611803Z"}}}], "references": [{"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-v6pg-v89r-w8wr", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:30:41.252Z"}}], "cna": {"title": "Vaultwarden: 2FA Bypass on Protected Actions due to Faulty Rate Limit Enforcement", "source": {"advisory": "GHSA-v6pg-v89r-w8wr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "dani-garcia", "product": "vaultwarden", "versions": [{"status": "affected", "version": "< 1.35.0"}]}], "references": [{"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-v6pg-v89r-w8wr", "name": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-v6pg-v89r-w8wr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user\u2019s account can exploit this bypass to perform protected actions such as accessing the user\u2019s API key or deleting the user\u2019s vault and organisations the user is an admin/owner of . This issue has been patched in version 1.35.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T21:32:14.614Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27801", "state": "PUBLISHED", "dateUpdated": "2026-03-05T15:30:50.274Z", "dateReserved": "2026-02-24T02:31:33.266Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-04T21:32:14.614Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*", "matchCriteriaId": "7E2621A9-90DC-46B4-950C-FAC2EE6A6A50", "versionEndExcluding": "1.35.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user\u2019s account can exploit this bypass to perform protected actions such as accessing the user\u2019s API key or deleting the user\u2019s vault and organisations the user is an admin/owner of . This issue has been patched in version 1.35.0."}], "id": "CVE-2026-27801", "lastModified": "2026-03-06T19:45:34.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-04T22:16:17.897", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-v6pg-v89r-w8wr"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-v6pg-v89r-w8wr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "vaultwarden: Vaultwarden: Two-factor authentication bypass allows unauthorized access and data deletion.", "id": "2444677", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444677"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-307", "details": ["No description is available for this CVE."], "name": "CVE-2026-27801", "public_date": "2026-03-04T21:32:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27801\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27801\nhttps://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-v6pg-v89r-w8wr"], "statement": "This MODERATE vulnerability allows an authenticated attacker to bypass 2FA for protected actions via faulty rate limiting. Exploitation requires network access and low privileges (valid account). Impact includes high confidentiality loss (API key exposure), high integrity loss (vault/org deletion), and high availability loss (data destruction). Red Hat ships Vaultwarden in its community products.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.35.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vaultwarden", "source": "cna", "vendor": "dani-garcia"}, "product": "vaultwarden", "vendor": "dani-garcia"}], "analysis": {"en": {"generated_at": "2026-04-16T13:07:52.361550+00:00", "value": {"mitigation_remediation": ["Upgrade to Vaultwarden 1.35.0 or later to remove the 2FA bypass", "After upgrading, verify that rate limiting is active for protected endpoints and that no privileged actions proceed without valid 2FA tokens", "Continuously monitor audit logs for unauthorized attempts to perform protected actions and review any accounts where 2FA was disabled or bypassed"], "summary": {"action": "Apply Patch", "impact": "2FA bypass allowing privileged actions such as accessing API keys and deleting vaults"}, "threat_synthesis": {"affected_systems": "The issue affects all instances of Vaultwarden version 1.34.3 and earlier. The vendor, dani\u2011garcia, has released version 1.35.0 which addresses the problem. Users running older versions are therefore exposed.", "description_and_impact": "Vaultwarden, an unofficial Bitwarden-compatible server, contains a flaw that permits a two\u2011factor authentication bypass during protected operations. After an attacker gains authenticated access to a user account, the system fails to enforce rate limiting, enabling the attacker to execute privileged actions that normally require 2FA, including retrieving API keys and deleting the victim\u2019s vault and associated organisations. The vulnerability is a classic authentication bypass (CWE\u2011307) which directly undermines the confidentiality and integrity of user data.", "risk_and_exploitability": "The CVSS score of 6 indicates a moderate severity, and the EPSS score of less than 1% suggests that exploitation attempts are unlikely to be widespread, especially since the attacker must already possess authenticated credentials. The vulnerability is not listed in the CISA KEV catalog, but it still poses a significant risk to accounts with high privilege, as the bypass allows full control over sensitive data and account structure. The attack vector is inferred to be remote, requiring prior authentication; attackers could obtain credentials through phishing, credential stuffing, or other enumeration techniques, after which the rate\u2011limit flaw can be leveraged to bypass 2FA requirements."}}}}, "created": "2026-03-05T09:05:45.986412+00:00", "updated": "2026-04-16T13:15:06.224622+00:00", "vendors": ["dani-garcia", "dani-garcia$PRODUCT$vaultwarden"]}