Vaultwarden 2FA Bypass Vulnerability in Protected Actions

A vulnerability allowing two-factor authentication (2FA) bypass in Vaultwarden has been identified in versions through 1.34.3. This issue arises during protected actions, where the 2FA validation is not properly enforced. An attacker with authenticated access to a user's account can exploit this vulnerability to perform actions such as accessing the user's API key or deleting the user's vault and associated organizations where the user holds an admin or owner role.

Impact

Exploitation of this vulnerability allows an attacker to bypass 2FA protections, enabling them to access sensitive user data such as the API key or to delete the user's vault and organizations.

Reproduction

To reproduce this vulnerability, first request a one-time passcode (OTP) from the '/api/accounts/request-otp' endpoint. After receiving the OTP, send repeated invalid guesses to the '/api/accounts/verify-otp' endpoint. Vaultwarden will respond with 'Token is invalid' for incorrect guesses, but after six failed attempts, the response should indicate that the token has expired. However, due to the vulnerability, the token is still considered valid if the correct OTP is entered, despite exceeding the allowed number of attempts.

Remediation

Users can update to Vaultwarden version 1.35.0 or later, where this vulnerability has been patched.