Vaultwarden CVE-2026-43913: Unconfirmed Owners Can Purge Vaults
The National Vulnerability Database has detailed CVE-2026-43913, a high-severity vulnerability (CVSS 8.1) in Vaultwarden, a popular Bitwarden-compatible server written in Rust. This flaw allows an unconfirmed organization owner to purge the entire organization vault, leading to immediate and complete data loss.
The vulnerability exists in Vaultwarden versions prior to 1.35.5. The organization invite process involves two steps: accepting an invite and then confirmation by an existing owner. However, the POST /api/ciphers/purge endpoint only checks for Owner membership type and fails to verify the Confirmed status. This oversight means an authenticated user, who has accepted an owner invite but hasn’t yet been confirmed, can execute this endpoint to hard-delete all ciphers and attachments within the organization.
This is a critical flaw for any organization relying on Vaultwarden for sensitive credential management. Attackers don’t need full confirmation, just an accepted invite, to wipe out an organization’s entire vault. Defenders must prioritize patching to version 1.35.5 immediately to mitigate this risk. Beyond patching, review your invite and confirmation workflows for any unconfirmed owners who might inadvertently, or maliciously, exploit this vector.
What This Means For You
- If your organization uses Vaultwarden, you are exposed to immediate, irrecoverable data loss if an unconfirmed owner leverages CVE-2026-43913. Patch to version 1.35.5 without delay and audit your organization's members for any unconfirmed owners. Revoke their invitations if they are not legitimate.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Vaultwarden Unconfirmed Owner Purge Vault - CVE-2026-43913
title: Vaultwarden Unconfirmed Owner Purge Vault - CVE-2026-43913
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
Detects the specific API endpoint /api/ciphers/purge being called via POST, which is exploited by unconfirmed organization owners in Vaultwarden versions prior to 1.35.5 to delete all organization data. This rule is specific to the vulnerability described in CVE-2026-43913.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-43913/
tags:
- attack.impact
- attack.t1485
logsource:
category: webserver
detection:
selection:
cs-uri|endswith:
- '/api/ciphers/purge'
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-43913 | Information Disclosure | Vaultwarden versions prior to 1.35.5 |
| CVE-2026-43913 | Auth Bypass | Vaultwarden unconfirmed organization owner can purge vault |
| CVE-2026-43913 | DoS | Vaultwarden POST /api/ciphers/purge endpoint |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 02:20 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8349 — Omec-Project Amf Vulnerability
CVE-2026-8349 — A flaw has been found in omec-project amf up to 2.1.1. This vulnerability affects unknown code of the component NGAP Message Handler. Executing...
CVE-2026-8346 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection
CVE-2026-8346 — A vulnerability was detected in D-Link DIR-816 1.10CNB05_R1B011D88210. This affects the function portForward. Performing a manipulation of the argument ip_address results in command...
CVE-2026-8345 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection
CVE-2026-8345 — A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this issue is the function sub_445E7C of the file /goform/singlePortForward. Such...