CVE-2026-43913 HIGH

CVE-2026-43913: Vaultwarden: Unconfirmed Owner Can Purge Entire Organization Vault

Vendor Dani-Garcia

Product vaultwarden

Weakness CWE-863 · Incorrect authorization

Published May 11, 2026

Last update May 15, 2026

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, and a separate confirmation by an existing owner upgrades it to Confirmed. The POST /api/ciphers/purge endpoint uses plain Headers and only checks that the membership type is Owner without verifying that the membership status is Confirmed. An authenticated user who has been invited as an organization owner and has accepted the invite and has not yet been confirmed can call this endpoint to hard-delete all ciphers and attachments in the organization, causing immediate organization-wide data loss. This vulnerability is fixed in 1.35.5.

Key dates

02Disclosure timeline

May 11, 2026 CVE published

May 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-43913

Related vulnerabilities

CVE-2026-43913: Vaultwarden: Unconfirmed Owner Can Purge Entire Organization Vault

01Description

02Disclosure timeline

03References

04Related CVE