Which versions of Bitwarden CLI are affected by EUVD-2026-26474?

Bitwarden CLI version 2026.4.0 distributed via npm on April 22, 2026 contained malicious code enabling unauthenticated remote command execution as part of a Checkmarx supply chain attack.

How to fix or mitigate EUVD-2026-26474?

Within 24 hours: Inventory all Bitwarden CLI installations and identify any systems that pulled version 2026.4.0 between April 22, 2026 21:57Z-23:30Z via npm logs or package manager history. Isolate any confirmed affected systems from production networks and execute malware scanning with focus on process execution logs and command history. Within 7 days: Upgrade all Bitwarden CLI instances to version 2026.4.1 or later (vendor will release patched version); conduct forensic analysis of affected systems for unauthorized OS command execution, persistence mechanisms, and credential access. Within 30 days: Rotate all secrets and credentials managed by Bitwarden, particularly those accessed from compromised CLI instances; implement npm package pinning and hash verification for all Bitwarden dependencies; deploy behavioral monitoring on CLI execution paths.

Bitwarden CLI EUVD-2026-26474

Q: What is the CVSS score of EUVD-2026-26474?

EUVD-2026-26474 has a CVSS 4.0 base score of 8.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-42994 HIGH

OS Command Injection (CWE-78)

2026-05-01 mitre

Command Injection Node.js

8.8

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 01, 2026 - 07:30 vuln.today

CVSS changed

May 01, 2026 - 05:22 NVD

8.8 (HIGH)

EUVD ID Assigned

May 01, 2026 - 05:00 euvd

EUVD-2026-26474

Analysis Generated

May 01, 2026 - 05:00 vuln.today

CVE Published

May 01, 2026 - 04:06 nvd

HIGH 8.8

DescriptionNVD

Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, when obtained from npm, had embedded malicious code. This is related to a Checkmarx supply chain incident.

AnalysisAI

Malicious code injection in Bitwarden CLI 2026.4.0 distributed via npm for 90 minutes on April 22, 2026, enables remote command execution without authentication. The compromise was part of a broader Checkmarx supply chain attack targeting the npm registry. …

RemediationAI

Within 24 hours: Inventory all Bitwarden CLI installations and identify any systems that pulled version 2026.4.0 between April 22, 2026 21:57Z-23:30Z via npm logs or package manager history. Isolate any confirmed affected systems from production networks and execute malware scanning with focus on process execution logs and command history. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-26474 vulnerability details – vuln.today

Back

Bitwarden CLI EUVD-2026-26474

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Bitwarden CLI EUVD-2026-26474

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code