During a penetration test for a customer, we briefly assessed Vaultwarden, an open-source online password safe. In June 2024, the German Federal Office for Information Security (BSI) published results1 of a static and dynamic test of the Vaultwarden server component. Therefore, only a partial source code audit was performed during our assessment. However, a quick look was needed to find some g ...
Am I understanding correctly that if users had 2FA, the vulnerability would be prevented from gaining access?
Correct. Only users without 2fa were in danger.