Description
Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, when obtained from npm, had embedded malicious code. This is related to a Checkmarx supply chain incident.
Published: 2026-05-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bitwarden CLI version 2026.4.0, when fetched from the npm registry, included embedded malicious code that can be executed when the package is installed. The vulnerability aligns with CWE‑78, indicating command‑dependent code execution, and with CWE‑94, indicating arbitrary code or instruction injection. This can lead to full compromise of the host system, including data exfiltration, persistence, or remote code execution, with wide‑scale impact if the CLI is used in automated environments. Based on the description, it is inferred that the malicious code could allow arbitrary command execution.

Affected Systems

The affected product is the Bitwarden Command‑Line Interface (CLI) distributed via npm, specifically the 2026.4.0 release dated 2026‑04‑22. No other vendors or versions are listed in the current data.

Risk and Exploitability

The CVSS score of 8.8 classifies this issue as high risk. The EPSS score is < 1%, indicating a low but nonzero exploitation probability, and it is not currently listed in the CISA KEV catalog, but the supply‑chain nature of the compromise suggests that the vulnerability could be actively exploited in environments that routinely pull packages from npm. Attackers would gain execution privileges by installing or upgrading the compromised CLI, so based on the description, it is inferred that the primary attack vector is the compromised package distribution channel.

Generated by OpenCVE AI on May 4, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Remove the npm‑installed Bitwarden CLI package immediately.
  • Download and install the CLI directly from the official Bitwarden repository or distribution channel.
  • Verify the integrity of the downloaded package by checking its cryptographic signature or checksum before installation.

Generated by OpenCVE AI on May 4, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Malicious Code Inserted in Bitwarden CLI npm Package

Mon, 04 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Bitwarden cli
Weaknesses CWE-94
CPEs cpe:2.3:a:bitwarden:cli:2026.4.0:*:*:*:*:*:*:*
Vendors & Products Bitwarden cli
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 08:15:00 +0000

Type Values Removed Values Added
Title Malicious Code Inserted in Bitwarden CLI npm Package

Fri, 01 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Bitwarden
Bitwarden bitwarden
Vendors & Products Bitwarden
Bitwarden bitwarden

Fri, 01 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, when obtained from npm, had embedded malicious code. This is related to a Checkmarx supply chain incident.
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/AU:Y'}

Subscriptions

Bitwarden Bitwarden Cli
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T14:16:19.189Z

Reserved: 2026-05-01T04:06:16.747Z

Link: CVE-2026-42994

cve-icon Vulnrichment

Updated: 2026-05-01T14:16:11.562Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T05:16:01.510

Modified: 2026-05-04T18:23:38.433

Link: CVE-2026-42994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:00:07Z

Weaknesses