Bug 2466842 (CVE-2026-31835)

Summary: CVE-2026-31835 Vaultwarden: Vaultwarden: Denial of Service in WebAuthn two-factor authentication due to unverified credential updates
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Vaultwarden. The WebAuthn authentication process in versions 1.35.4 and earlier incorrectly updates user credential information before fully verifying the authentication signature. This allows an attacker who possesses a user's password, but cannot complete the WebAuthn signature, to permanently alter the stored backup flags for that user's credentials. The unverified database update is not rolled back if signature verification fails, leading to a persistent denial of service for WebAuthn two-factor authentication for affected users.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2477176, 2477177    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-05 19:01:33 UTC
Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified `authenticatorData` before signature validation is performed. An attacker who knows a user's password but cannot produce a valid WebAuthn signature can permanently modify the stored backup flags for that user's credential. If signature verification fails, the database update is not rolled back. This can result in a persistent denial of service of WebAuthn two-factor authentication for affected credentials. This issue has been fixed in version 1.35.5.