Vaultwarden Container Exposed: High-Severity OpenSSL Vulnerability (CVE-2026-28390) Found in Latest Image

A high-severity vulnerability has been flagged in the latest `vaultwarden/server:latest` container image, posing a direct denial-of-service risk to deployments. The automated security scan, dated April 10, 2026, identified one new high-risk flaw—CVE-2026-28390—within the `libssl3t64` package. This OpenSSL vulnerability, if exploited, could lead to service disruption by triggering a NULL pointer dereference, a critical failure point for any service relying on secure communications.

The specific package version installed is `3.5.4-1~deb13u2`, which is vulnerable. A patched version, `3.5.5-1~deb13u2`, is available to remediate the issue. Vaultwarden, a popular alternative server implementation for the Bitwarden password manager, is widely deployed in self-hosted and homelab environments, making this finding particularly relevant for administrators who prioritize security for their credential management systems.

This alert, generated by the RedFlag automated scanner, underscores the persistent need for vigilant container image maintenance. While no critical vulnerabilities were found, the presence of a high-severity flaw in a core cryptographic library necessitates immediate attention. System administrators are advised to review their Vaultwarden deployments, apply the available patch, and integrate continuous vulnerability scanning into their update cycles to mitigate such risks proactively.