CVE-2026-57522

LOW

Bitwarden Server < 2026.5.0 JSON Injection via Webhook Templates

Title source: cna
STIX 2.1

Description

Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens(), which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template references a user-controlled token (such as #ActingUserName# or #UserName#, populated from a member's display name), an authenticated member can set their display name to JSON metacharacters and inject arbitrary key-value pairs into the rendered payloads delivered to webhook, SIEM, Slack, Teams, or Datadog endpoints, making injected fields indistinguishable from legitimate template output.

Scores

CVSS v3 3.5
EPSS 0.0026
EPSS Percentile 17.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-74
Status published
Products (1)
bitwarden/server < 2026.5.0 (2 CPE variants)
Published Jun 25, 2026
Tracked Since Jun 26, 2026