Skip to main content

BunkerWeb CVE-2026-54728

| EUVDEUVD-2026-45033 MEDIUM
Improper Input Validation (CWE-20)
2026-07-16 GitHub_M
6.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.1 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Network-reachable token endpoint requires low-privileged account and specific configuration preconditions; scope bounded to the BunkerWeb instance with no lateral impact to subsequent systems.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 16, 2026 - 22:19 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 20:20 vuln.today
Analysis Generated
Jul 16, 2026 - 20:20 vuln.today

DescriptionCVE.org

bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). Prior to BunkerWeb 1.6.12 and BunkerWeb PRO 0.57, authenticated Host header handling in the BunkerWeb UI and API improperly validated and neutralized user-controlled input in a configuration-dependent path, allowing a low-privileged authenticated user to escalate privileges and affect confidentiality, integrity, and availability of the BunkerWeb instance. This issue is fixed in BunkerWeb version 1.6.12 and BunkerWeb PRO version 0.57.

AnalysisAI

Privilege escalation in BunkerWeb's UI and API allows a low-privileged authenticated user to inject attacker-controlled Datalog facts into signed Biscuit authorization tokens by manipulating the HTTP Host header, which was interpolated directly into the token builder string without parameterization. Affected are BunkerWeb open-source versions prior to 1.6.12 and BunkerWeb PRO prior to 0.57. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged BunkerWeb UI account
Delivery
Craft HTTP request with Datalog-injecting Host header
Exploit
Trigger Biscuit token creation via authentication endpoint
Execution
Injected Datalog facts signed into authorization token
Persist
Submit requests using privilege-escalated token
Impact
Modify WAF configuration or purge cache as admin

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid low-privileged authenticated account on the BunkerWeb UI or API (PR:L per CVSS vector - unauthenticated exploitation is not possible). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H reflects genuine exploitation complexity: AC:H and AT:P signal that specific preconditions and non-default configurations gate the attack path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged BunkerWeb account (e.g., a reader role) sends an authentication or API request with a crafted Host header such as `legit-host"; admin(true); extra_fact("injected` - the BunkerWeb server incorporates this value via f-string interpolation into a Biscuit Datalog builder string, signing the injected facts into the resulting token. The attacker then presents this token to the API, where the Datalog authorizer evaluates the injected facts as signed and trusted, granting elevated privileges and enabling modification or disruption of WAF configuration and operations.
Remediation Upgrade BunkerWeb open-source to version 1.6.12 or later, or BunkerWeb PRO to version 0.57 or later; the patched release is published at https://github.com/bunkerity/bunkerweb/releases/tag/v1.6.12 and the upstream fix commit is https://github.com/bunkerity/bunkerweb/commit/685ccbbe7d204132a843a7b7fd802d1bdb3f20a9. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54728 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy