CVE-2026-43911 Overview
CVE-2026-43911 affects Vaultwarden, a Bitwarden-compatible server implementation written in Rust. Versions prior to 1.35.5 fail to invalidate refresh tokens when a user's security_stamp is rotated. Security-sensitive operations such as password changes, key-derivation function (KDF) changes, key rotation, email changes, organization admin password resets, and emergency access takeover all trigger a security_stamp rotation. An attacker holding a previously obtained refresh token retains session access despite these recovery actions. The flaw is categorized under CWE-613: Insufficient Session Expiration.
Critical Impact
An attacker with a stolen refresh token maintains persistent access to a Vaultwarden account even after the victim performs account recovery actions intended to evict them.
Affected Products
- Vaultwarden versions prior to 1.35.5
- Self-hosted Bitwarden-compatible deployments using Vaultwarden
- Vaultwarden instances exposing the /identity/connect/token refresh flow
Discovery Timeline
- 2026-05-11 - CVE-2026-43911 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43911
Vulnerability Analysis
Vaultwarden issues OAuth-style access tokens paired with refresh tokens during user authentication. The security_stamp value acts as a session-binding identifier that should be validated on every token operation. When a user performs an account-securing action, Vaultwarden rotates the security_stamp to invalidate existing sessions. Prior to 1.35.5, the refresh token endpoint did not verify the current security_stamp against the value embedded in the refresh token. As a result, refresh tokens remained valid across rotations and could be exchanged for new access tokens indefinitely.
The vulnerability impacts confidentiality and integrity because vault data continues to be accessible to the attacker. It also undermines the trust model of every account recovery workflow, including emergency access takeover and organization admin password resets.
Root Cause
The root cause is missing validation logic in the refresh token grant handler. The handler accepted a refresh token, decoded the user identifier, and issued a new access token without comparing the token's stored security_stamp against the user's current security_stamp in the database. This is a textbook instance of [CWE-613] Insufficient Session Expiration.
Attack Vector
An attacker must first obtain a valid refresh token through prior session compromise, malware on a logged-in device, token exfiltration from browser storage, or interception. Once obtained, the attacker submits the refresh token to the Vaultwarden token endpoint and receives a fresh access token. The victim's password change, KDF change, key rotation, email change, or emergency access reset does not terminate the attacker's session. The attack succeeds entirely over the network without user interaction.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-6j4w-g4jh-xjfx for technical details.
Detection Methods for CVE-2026-43911
Indicators of Compromise
- Successful POST /identity/connect/token requests with grant_type=refresh_token immediately following a password change, KDF change, or email change event.
- Active sessions persisting from IP addresses or user agents that differ from the device used for the recent account recovery action.
- Vault item access logs originating from sessions that pre-date the most recent security_stamp rotation.
Detection Strategies
- Correlate authentication audit events with account-recovery events and alert when refresh token grants succeed for users whose security_stamp was rotated within the prior 24 hours.
- Baseline refresh token usage per account and flag refresh activity from unfamiliar IP ranges or autonomous system numbers after a recovery action.
- Inspect Vaultwarden access logs for token issuance volume spikes against single accounts following password resets.
Monitoring Recommendations
- Forward Vaultwarden application and reverse-proxy logs to a centralized logging platform for retention and query.
- Enable alerting on the sequence: account recovery action followed by token refresh from a new device fingerprint.
- Track outbound vault export and bulk item-read API calls that follow refresh token grants on recently-recovered accounts.
How to Mitigate CVE-2026-43911
Immediate Actions Required
- Upgrade all Vaultwarden instances to version 1.35.5 or later without delay.
- After upgrading, force a global session revocation by instructing affected users to rotate their master password, which triggers the corrected security_stamp validation path.
- Audit recent account recovery events and treat any concurrent active sessions as suspect.
Patch Information
The fix is included in Vaultwarden release 1.35.5. The patched refresh token handler validates the embedded security_stamp against the current user record and rejects refresh requests when the values do not match. Patch details are documented in the Vaultwarden Security Advisory GHSA-6j4w-g4jh-xjfx.
Workarounds
- Restart the Vaultwarden service to clear in-memory session state after any user account recovery action, as a temporary measure until patching.
- Restrict network access to the /identity/connect/token endpoint behind a VPN or zero-trust gateway to reduce exposure to stolen refresh tokens.
- Shorten refresh token lifetimes via reverse-proxy enforcement where feasible to limit the window of token reuse.
# Upgrade Vaultwarden Docker deployment to the patched release
docker pull vaultwarden/server:1.35.5
docker stop vaultwarden
docker rm vaultwarden
docker run -d --name vaultwarden \
-v /vw-data/:/data/ \
-p 80:80 \
vaultwarden/server:1.35.5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
