Skip to main content

Bitwarden Server EUVDEUVD-2026-39543

| CVE-2026-57522 LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-25 VulnCheck GHSA-w6hw-45mp-qr7v
2.3
CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.5 LOW

Requires authenticated membership (PR:L) and admin-configured event integration with user-controlled token (AC:H); integrity impact crosses scope to downstream webhook/SIEM consumers (S:C).

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 20:21 vuln.today
Analysis Generated
Jun 25, 2026 - 20:21 vuln.today

DescriptionCVE.org

Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens(), which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template references a user-controlled token (such as #ActingUserName

or #UserName#, populated from a member's display name), an authenticated member can set their display name to JSON metacharacters and inject arbitrary key-value pairs into the rendered payloads delivered to webhook, SIEM, Slack, Teams, or Datadog endpoints, making injected fields indistinguishable from legitimate template output.

AnalysisAI

JSON injection in Bitwarden Server's IntegrationTemplateProcessor.ReplaceTokens() allows authenticated organization members to corrupt event-integration payloads delivered to webhook, SIEM, Slack, Teams, or Datadog endpoints. Any organization running Bitwarden Server prior to 2026.5.0 that has configured event integrations referencing user-controlled tokens such as #ActingUserName# or #UserName# is exposed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as org member
Delivery
Set display name to JSON metacharacter payload
Exploit
Perform auditable organization action
Execution
ReplaceTokens() substitutes unencoded name into event template
Persist
Malformed JSON delivered to webhook/SIEM/Slack/Teams/Datadog
Impact
Downstream system processes injected fields as legitimate template output

Vulnerability AssessmentAI

Exploitation Exploitation requires three specific preconditions: (1) the attacker must hold a valid, authenticated Bitwarden organization member account (PR:L per the CVSS 4.0 vector); (2) the target organization must have explicitly configured at least one event integration - webhook, SIEM, Slack, Teams, or Datadog - whose template references a user-controlled token, specifically #ActingUserName# or #UserName# populated from member display names; integrations that reference only system-generated tokens are not exploitable; and (3) the attacker must trigger an auditable event that fires the integration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.3 (AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N) correctly reflects a low-severity finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Bitwarden organization member navigates to their account profile and sets their display name to a crafted string such as 'legit", "is_admin": true, "injected": "attacker' and then performs any auditable action - such as logging in or modifying a vault item - that triggers an event integration. When the Bitwarden server calls ReplaceTokens() to build the notification payload, the unencoded display name breaks the JSON structure, and the downstream Slack, Teams, SIEM, or webhook endpoint receives a payload containing the injected fields as legitimate-looking top-level keys. …
Remediation Upgrade Bitwarden Server to version 2026.5.0 or later, which contains the fix committed in a26afd18130ef985ede5c97d277820d045185a28 and documented in PR #7593 (https://github.com/bitwarden/server/pull/7593) and the release page (https://github.com/bitwarden/server/releases/tag/v2026.5.0). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Server

View all
CVE-2018-1000881 CRITICAL POC
9.8 Dec 20

Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2026-43639 HIGH POC
8.9 May 11

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access

CVE-2021-42973 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl

CVE-2021-42972 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple

CVE-2026-43640 HIGH POC
8.6 May 11

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri

CVE-2019-25609 HIGH POC
8.6 Mar 22

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel

CVE-2023-30223 HIGH POC
7.5 Jun 16

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen

CVE-2023-30222 HIGH POC
7.5 Jun 16

An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to

CVE-2026-57520 HIGH POC
7.1 Jun 25

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a

CVE-2017-7855 MEDIUM POC
6.1 Aug 31

In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet

CVE-2022-39395 CRITICAL
9.9 Nov 10

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se

Share

EUVD-2026-39543 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy