Bug 2466842 (CVE-2026-31835) - CVE-2026-31835 Vaultwarden: Vaultwarden: Denial of Service in WebAuthn two-factor authentication due to unverified credential updates
Summary: CVE-2026-31835 Vaultwarden: Vaultwarden: Denial of Service in WebAuthn two-fa...
Keywords:
Status: NEW
Alias: CVE-2026-31835
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2477176 2477177
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-05 19:01 UTC by OSIDB Bzimport
Modified: 2026-05-13 17:25 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-05 19:01:33 UTC
Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified `authenticatorData` before signature validation is performed. An attacker who knows a user's password but cannot produce a valid WebAuthn signature can permanently modify the stored backup flags for that user's credential. If signature verification fails, the database update is not rolled back. This can result in a persistent denial of service of WebAuthn two-factor authentication for affected credentials. This issue has been fixed in version 1.35.5.


Note You need to log in before you can comment on or make changes to this bug.