CVE-2026-57522

EUVD-2026-39543

25.06.2026, 20:17

Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens(), which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template references a user-controlled token (such as #ActingUserName# or #UserName#, populated from a member's display name), an authenticated member can set their display name to JSON metacharacters and inject arbitrary key-value pairs into the rendered payloads delivered to webhook, SIEM, Slack, Teams, or Datadog endpoints, making injected fields indistinguishable from legitimate template output.

Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
VulnCheck	CNA	3.5 LOW	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
bitwarden	bitwarden	𝑥 < 2026.5.0	CNA

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References

https://github.com/bitwarden/server/commit/a26afd18130ef985ede5c97d277820d045185a28

https://github.com/bitwarden/server/pull/7593

https://github.com/bitwarden/server/releases/tag/v2026.5.0

https://sanjokkarki.com.np/blog/bitwarden-webhook-json-injection

https://www.vulncheck.com/advisories/bitwarden-server-json-injection-via-webhook-templates