CVE-2026-43914 Overview
CVE-2026-43914 is a brute-force protection bypass affecting Vaultwarden, a Bitwarden-compatible password manager server written in Rust. Versions prior to 1.35.4 expose the send_email_login function at the /api/two-factor/send-email-login endpoint without rate-limiting controls. When email two-factor authentication (2FA) is enabled on the server, this endpoint reveals whether a given username and password combination is valid. Attackers can abuse the endpoint as an oracle to brute-force credentials, including those of users who have not configured email 2FA. The maintainer released version 1.35.4 to address the issue [CWE-307].
Critical Impact
Unauthenticated attackers can perform unlimited password guessing against any Vaultwarden user account when email 2FA is enabled server-wide, leading to credential compromise and unauthorized vault access.
Affected Products
- Vaultwarden versions prior to 1.35.4
- Self-hosted Bitwarden-compatible deployments using dani-garcia/vaultwarden
- Instances with email 2FA enabled in server configuration
Discovery Timeline
- 2026-05-11 - CVE-2026-43914 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43914
Vulnerability Analysis
The flaw resides in Vaultwarden's email-based 2FA flow, specifically the send_email_login handler defined in email.rs. The endpoint /api/two-factor/send-email-login validates the supplied username and password before deciding whether to dispatch a 2FA email. Vaultwarden applies brute-force protection to its primary login endpoint, but the maintainers did not extend the same rate-limiting middleware to this secondary entry point.
The handler responds differently depending on whether credentials match a valid account. This behavioral divergence converts the endpoint into a credential validation oracle. Attackers can iterate password lists against the endpoint and identify correct combinations from response differences. The issue applies even to accounts that have never enabled email 2FA, because credential validation occurs before the 2FA configuration check.
Root Cause
The root cause is improper restriction of excessive authentication attempts [CWE-307]. The send_email_login route handler authenticates the submitted credentials but lacks the lockout and throttling logic applied to /api/accounts/login. The absence of consistent rate-limiting across all credential-validating endpoints allowed attackers to bypass the protective control.
Attack Vector
An unauthenticated remote attacker sends repeated POST requests to /api/two-factor/send-email-login with a target username and candidate passwords. The endpoint must be reachable over the network, and the server must have email 2FA enabled. The attacker observes response behavior to determine credential validity. No user interaction or prior privileges are required. Once valid credentials are confirmed, the attacker can attempt vault access through the standard login flow.
No public proof-of-concept exploit code is currently available. Refer to the Vaultwarden Security Advisory GHSA-c5rv-q295-7w4g for additional context.
Detection Methods for CVE-2026-43914
Indicators of Compromise
- High volumes of POST requests to /api/two-factor/send-email-login from a single source IP or distributed set of IPs
- Repeated requests to the endpoint with varying password parameters for the same username
- Outbound email queue spikes corresponding to 2FA email dispatches from Vaultwarden
- Successful logins shortly after sustained request bursts against the 2FA endpoint
Detection Strategies
- Parse Vaultwarden access logs and reverse proxy logs for request rate anomalies targeting /api/two-factor/send-email-login
- Correlate failed credential validation responses with subsequent successful authentications from the same client identifiers
- Baseline normal 2FA email send volume and alert on statistical deviations
Monitoring Recommendations
- Forward Vaultwarden and reverse proxy logs to a centralized analytics platform with retention for credential abuse investigation
- Monitor authentication telemetry from identity systems consuming Vaultwarden for unexpected geographic or device shifts
- Track SMTP relay metrics for unusual surges in 2FA email volume
How to Mitigate CVE-2026-43914
Immediate Actions Required
- Upgrade all Vaultwarden instances to version 1.35.4 or later without delay
- Audit access logs for prior abuse of /api/two-factor/send-email-login and force password resets on any suspect accounts
- Restrict administrative and login endpoints behind a VPN or IP allowlist where feasible
- Enable account lockout policies and review SMTP delivery logs for anomalies
Patch Information
The maintainer fixed the issue in Vaultwarden 1.35.4. The patch adds brute-force protection to the send_email_login handler so that repeated invalid attempts trigger the same throttling applied to the primary login route. Release notes and the source change are available in the Vaultwarden 1.35.4 Release and the GitHub Pull Request #6867.
Workarounds
- Disable email 2FA at the server level until the upgrade is applied, which removes the oracle behavior of the vulnerable endpoint
- Place a Web Application Firewall (WAF) rule in front of Vaultwarden that rate-limits requests to /api/two-factor/send-email-login per source IP and per username
- Enforce strong, unique passwords and require additional 2FA factors such as TOTP to reduce post-brute-force impact
# Example reverse proxy rate limit (nginx) for the vulnerable endpoint
limit_req_zone $binary_remote_addr zone=vw_2fa:10m rate=5r/m;
location /api/two-factor/send-email-login {
limit_req zone=vw_2fa burst=5 nodelay;
proxy_pass http://vaultwarden_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
