Skip to main content

Bitwarden CLI EUVDEUVD-2026-26474

| CVE-2026-42994 HIGH
OS Command Injection (CWE-78)
2026-05-01 mitre
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
May 01, 2026 - 07:30 vuln.today
CVSS changed
May 01, 2026 - 05:22 NVD
8.8 (HIGH)
EUVD ID Assigned
May 01, 2026 - 05:00 euvd
EUVD-2026-26474
Analysis Generated
May 01, 2026 - 05:00 vuln.today
CVE Published
May 01, 2026 - 04:06 nvd
HIGH 8.8

DescriptionCVE.org

Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, when obtained from npm, had embedded malicious code. This is related to a Checkmarx supply chain incident.

AnalysisAI

Malicious code injection in Bitwarden CLI 2026.4.0 distributed via npm for 90 minutes on April 22, 2026, enables remote command execution without authentication. The compromise was part of a broader Checkmarx supply chain attack targeting the npm registry. Users who installed this specific version during the 21:57Z-23:30Z window received a backdoored package capable of executing arbitrary OS commands. EPSS data not available for this recent CVE, but the supply chain vector and brief exposure window suggest targeted rather than mass exploitation.

Technical ContextAI

This is a software supply chain compromise (CWE-78: OS Command Injection) affecting the npm distribution channel for Bitwarden's command-line password manager client. The malicious code was embedded in version 2026.4.0 published to the npm registry, leveraging developers' trust in the official Bitwarden package namespace. Unlike traditional vulnerabilities in software logic, this represents direct tampering with the distribution artifact itself. The attack vector exploits the npm package manager ecosystem where dependencies are automatically fetched and installed via 'npm install @bitwarden/cli', making detection difficult until post-installation analysis. The Checkmarx reference suggests this may be related to compromised build infrastructure or developer credentials, similar to previous supply chain incidents affecting ua-parser-js, event-stream, and other npm packages.

RemediationAI

Immediately uninstall Bitwarden CLI 2026.4.0 if installed between 2026-04-22T21:57Z and 23:30Z via 'npm uninstall @bitwarden/cli' and reinstall from a verified clean version (check Bitwarden's official statement for confirmed safe versions post-incident). Audit npm install logs and package-lock.json files with timestamps in the compromise window - systems that pulled dependencies during this period require full compromise investigation including credential rotation, system imaging, and malware scanning. For CI/CD pipelines, review build logs from April 22, 2026 21:57Z-23:30Z and rebuild artifacts created during exposure. Rotate all secrets and API keys accessible to affected systems, as the command injection capability (CWE-78) could enable credential harvesting. Lock npm dependencies to specific hashes in package-lock.json rather than version ranges to prevent future supply chain attacks. Organizations should verify package integrity using npm audit signatures and consider using private npm registries with vulnerability scanning. No workaround exists for already-compromised installations - only complete removal and forensic analysis.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

EUVD-2026-26474 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy