CVE-2026-31835 Vaultwarden WebAuthn credential metadata tampered before signature verification
Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in validatewebauthnlogin updates persistent credential metadata 1backupeligible1 and 1backupstate flags1 based on unverified authenticatorData before signature validation...