Bug 2476363 (CVE-2026-43911)

Summary: CVE-2026-43911 vaultwarden: Vaultwarden: Session persistence due to unexpired refresh tokens after security actions
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Vaultwarden. This vulnerability allows an attacker who has previously obtained a user's refresh token to maintain session access. This occurs because refresh tokens are not invalidated when security-sensitive operations, such as password changes or key rotations, are performed. Consequently, an attacker can continue to access a user's account even after the user has attempted to secure it, leading to unauthorized access.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2476443, 2476444    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-11 23:09:13 UTC 
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken action to secure their account. This vulnerability is fixed in 1.35.5.