CVE-2026-43911: CWE-613: Insufficient Session Expiration in dani-garcia vaultwarden
Vaultwarden versions prior to 1. 35. 5 have a vulnerability where refresh tokens are not invalidated after certain security-sensitive user actions, such as password changes or key rotations. This flaw allows an attacker with a previously obtained refresh token to maintain session access despite the user attempting to secure their account. The issue is classified as insufficient session expiration (CWE-613). A fix is available in version 1. 35. 5.
AI Analysis
Technical Summary
Vaultwarden, a Bitwarden-compatible server written in Rust, suffers from insufficient session expiration in versions before 1.35.5. Specifically, refresh tokens remain valid even after the user's security_stamp is rotated due to security-sensitive operations like password changes, key derivation function changes, key rotations, email changes, organization admin password resets, or emergency access takeovers. This allows an attacker holding a previously obtained refresh token to continue accessing the session despite the user's security actions. The vulnerability is addressed in Vaultwarden version 1.35.5.
Potential Impact
An attacker who has previously obtained a valid refresh token can maintain unauthorized session access even after the user performs security-sensitive actions intended to invalidate such tokens. This compromises the confidentiality and integrity of the user's account. The vulnerability does not affect availability. The CVSS score is 6.8 (medium severity), reflecting network attack vector, high impact on confidentiality and integrity, but requiring low privileges and high attack complexity.
Mitigation Recommendations
Upgrade Vaultwarden to version 1.35.5 or later, where this vulnerability is fixed by proper invalidation of refresh tokens upon security_stamp rotation. No other mitigation is indicated or required according to the available data.
CVE-2026-43911: CWE-613: Insufficient Session Expiration in dani-garcia vaultwarden
Description
Vaultwarden versions prior to 1. 35. 5 have a vulnerability where refresh tokens are not invalidated after certain security-sensitive user actions, such as password changes or key rotations. This flaw allows an attacker with a previously obtained refresh token to maintain session access despite the user attempting to secure their account. The issue is classified as insufficient session expiration (CWE-613). A fix is available in version 1. 35. 5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Vaultwarden, a Bitwarden-compatible server written in Rust, suffers from insufficient session expiration in versions before 1.35.5. Specifically, refresh tokens remain valid even after the user's security_stamp is rotated due to security-sensitive operations like password changes, key derivation function changes, key rotations, email changes, organization admin password resets, or emergency access takeovers. This allows an attacker holding a previously obtained refresh token to continue accessing the session despite the user's security actions. The vulnerability is addressed in Vaultwarden version 1.35.5.
Potential Impact
An attacker who has previously obtained a valid refresh token can maintain unauthorized session access even after the user performs security-sensitive actions intended to invalidate such tokens. This compromises the confidentiality and integrity of the user's account. The vulnerability does not affect availability. The CVSS score is 6.8 (medium severity), reflecting network attack vector, high impact on confidentiality and integrity, but requiring low privileges and high attack complexity.
Mitigation Recommendations
Upgrade Vaultwarden to version 1.35.5 or later, where this vulnerability is fixed by proper invalidation of refresh tokens upon security_stamp rotation. No other mitigation is indicated or required according to the available data.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T16:11:33.086Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a028743cbff5d86108b5071
Added to database: 5/12/2026, 1:49:55 AM
Last enriched: 5/12/2026, 1:51:58 AM
Last updated: 5/12/2026, 3:49:40 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.