PatchSiren cyber security CVE debrief
CVE-2026-43911 Dani Garcia CVE debrief
CVE-2026-43911 is a medium-severity authentication/session-management issue in Vaultwarden. Prior to version 1.35.5, refresh tokens were not invalidated when a user’s security_stamp was rotated by certain security-sensitive actions, including password change, KDF change, key rotation, email change, org admin password reset, and emergency access takeover. As a result, an attacker who already obtained a refresh token could keep renewing session access even after the account owner took steps intended to secure the account. The published remediation is Vaultwarden 1.35.5.
- Vendor
- Dani Garcia
- Product
- Vaultwarden
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-11
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-11
- Advisory updated
- 2026-05-18
Who should care
Vaultwarden administrators, identity and access management teams, and anyone responsible for user account recovery or credential-reset workflows. It is especially relevant where refresh tokens may have been exposed before an account was secured.
Technical summary
The issue is that refresh tokens were not invalidated when security-sensitive operations rotated the user’s security_stamp. That breaks the expected linkage between account security changes and token/session invalidation. NVD lists the issue as CVSS 3.1 6.8 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps it to CWE-613. The vulnerable CPE range ends before 1.35.5.
Defensive priority
Medium. Patch promptly if you run affected Vaultwarden versions, because the flaw can preserve authenticated access after password or key changes. Token invalidation during recovery and account-hardening events should be treated as a core defense control.
Recommended defensive actions
- Upgrade Vaultwarden to version 1.35.5 or later.
- Review account-recovery, password-reset, KDF-change, key-rotation, email-change, organization admin reset, and emergency access takeover workflows for token invalidation expectations.
- If you suspect exposure, assume previously issued refresh tokens may remain valid until the affected instance is updated and sessions are re-established.
- Monitor authentication and refresh-token activity around account security changes for signs of continued session use after remediation steps.
- Use the official GitHub advisory and NVD record to track any additional vendor guidance or clarification.
Evidence notes
The supplied NVD record marks the issue as analyzed and references the GitHub Security Advisory GHSA-6j4w-g4jh-xjfx. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N, severity MEDIUM, and the weakness listed is CWE-613. The vulnerable CPE entry is cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:* with versionEndExcluding 1.35.5. PublishedAt is 2026-05-11T23:20:21.837Z; modifiedAt is 2026-05-18T16:58:20.353Z.
Official resources
-
CVE-2026-43911 CVE record
CVE.org
-
CVE-2026-43911 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
CVE published 2026-05-11 and last modified 2026-05-18. The affected version range ends before Vaultwarden 1.35.5, and the fix is documented in the vendor advisory.