[SECURITY] Fedora 43 Update: vaultwarden-1.36.0-1.fc43

Unofficial Bitwarden compatible server...

[SECURITY] Fedora 43 Update: vaultwarden-web-2026.4.1-1.fc43

Web vault for vaultwarden...

[SECURITY] Fedora 44 Update: vaultwarden-1.36.0-1.fc44

Unofficial Bitwarden compatible server...

[SECURITY] Fedora 44 Update: vaultwarden-web-2026.4.1-1.fc44

Web vault for vaultwarden...

Fedora 43 : vaultwarden (2026-264f9ef567)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-264f9ef567 advisory. update to 1.36.0 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested f...

Fedora 44 : vaultwarden-web (2026-111cf6d28f)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-111cf6d28f advisory. update to 2026.4.1 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for this...

Fedora 43 : vaultwarden-web (2026-064873552d)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-064873552d advisory. update to 2026.4.1 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested...

Fedora 44 : vaultwarden (2026-e14ea170b6)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-e14ea170b6 advisory. update to 1.36.0 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for this...

CVE-2026-31835

A flaw was found in Vaultwarden. The WebAuthn authentication process in versions 1.35.4 and earlier incorrectly updates user credential information before fully verifying the authentication signature. This allows an attacker who possesses a user's password, but cannot complete the WebAuthn...

CVE-2026-43912

A flaw was found in Vaultwarden, a Bitwarden-compatible server. A remote attacker with administrative privileges in one organization and low-privileged membership in another could exploit improper enforcement of organization consistency in group management endpoints. This allows the attacker to...

CVE-2026-43913

A flaw was found in Vaultwarden, a Bitwarden-compatible server. An authenticated user, who has been invited as an organization owner and accepted the invitation but has not yet been confirmed by an existing owner, can exploit this vulnerability. By calling a specific API endpoint, this user can...

CVE-2026-43911

A flaw was found in Vaultwarden. This vulnerability allows an attacker who has previously obtained a user's refresh token to maintain session access. This occurs because refresh tokens are not invalidated when security-sensitive operations, such as password changes or key rotations, are performed...

CVE-2026-43914

A flaw was found in Vaultwarden, a Bitwarden-compatible server. A remote attacker can exploit an unprotected two-factor authentication 2FA function, sendemaillogin, to bypass login brute-force protection. This allows the attacker to repeatedly attempt password guesses without rate-limiting,...

CVE-2026-43914

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function sendemaillogin email.rs, api endpoi...

CVE-2026-43913

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, an...

CVE-2026-43911

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's securitystamp is rotated by some security-sensitive operations password change, KDF change, key rotation, email change, org admin password reset, emergency access...

CVE-2026-43912

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groupsusers.usersorganizationsuuid entry belongs to the same organization as groups.groupsuuid, or a collectionsgroups.collectionsuuid entry belongs to the same organization as...

CVE-2026-43914 Vaultwarden: Brute-force protection bypass vulnerability

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function sendemaillogin email.rs, api endpoi...

CVE-2026-43914

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function sendemaillogin email.rs, api endpoi...

CVE-2026-43914

Vaultwarden prior to 1.35.4 is affected. The unprotected two‑factor login endpoint /api/two-factor/send-email-login (email.rs) can act as an oracle to determine if a username/password is correct, enabling brute‑force attempts without rate‑limiting even for users without email 2FA. Impact: bypasse...