Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable token endpoint requires low-privileged account and specific configuration preconditions; scope bounded to the BunkerWeb instance with no lateral impact to subsequent systems.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). Prior to BunkerWeb 1.6.12 and BunkerWeb PRO 0.57, authenticated Host header handling in the BunkerWeb UI and API improperly validated and neutralized user-controlled input in a configuration-dependent path, allowing a low-privileged authenticated user to escalate privileges and affect confidentiality, integrity, and availability of the BunkerWeb instance. This issue is fixed in BunkerWeb version 1.6.12 and BunkerWeb PRO version 0.57.
AnalysisAI
Privilege escalation in BunkerWeb's UI and API allows a low-privileged authenticated user to inject attacker-controlled Datalog facts into signed Biscuit authorization tokens by manipulating the HTTP Host header, which was interpolated directly into the token builder string without parameterization. Affected are BunkerWeb open-source versions prior to 1.6.12 and BunkerWeb PRO prior to 0.57. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid low-privileged authenticated account on the BunkerWeb UI or API (PR:L per CVSS vector - unauthenticated exploitation is not possible). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H reflects genuine exploitation complexity: AC:H and AT:P signal that specific preconditions and non-default configurations gate the attack path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged BunkerWeb account (e.g., a reader role) sends an authentication or API request with a crafted Host header such as `legit-host"; admin(true); extra_fact("injected` - the BunkerWeb server incorporates this value via f-string interpolation into a Biscuit Datalog builder string, signing the injected facts into the resulting token. The attacker then presents this token to the API, where the Datalog authorizer evaluates the injected facts as signed and trusted, granting elevated privileges and enabling modification or disruption of WAF configuration and operations. |
| Remediation | Upgrade BunkerWeb open-source to version 1.6.12 or later, or BunkerWeb PRO to version 0.57 or later; the patched release is published at https://github.com/bunkerity/bunkerweb/releases/tag/v1.6.12 and the upstream fix commit is https://github.com/bunkerity/bunkerweb/commit/685ccbbe7d204132a843a7b7fd802d1bdb3f20a9. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45033