Description
Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens(), which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template references a user-controlled token (such as #ActingUserName# or #UserName#, populated from a member's display name), an authenticated member can set their display name to JSON metacharacters and inject arbitrary key-value pairs into the rendered payloads delivered to webhook, SIEM, Slack, Teams, or Datadog endpoints, making injected fields indistinguishable from legitimate template output.
Published: 2026-06-25
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bitwarden Server prior to version 2026.5.0 contains a JSON injection flaw in the IntegrationTemplateProcessor.ReplaceTokens() method. The method substitutes user-controlled values into event‑integration templates without proper JSON encoding, allowing an authenticated member to set their display name to JSON metacharacters. By doing so, the member can inject arbitrary key‑value pairs into the payloads that are sent to webhook, SIEM, Slack, Teams, or Datadog endpoints, making the injected fields indistinguishable from legitimate template output. This flaw corresponds to CWE-74 and can result in unintended data exposure or manipulation through external integrations.

Affected Systems

The vulnerability affects all Bitwarden Server installations where the version is earlier than 2026.5.0. Any deployment that relies on event integration templates referencing user‑controlled tokens is potentially impacted.

Risk and Exploitability

The CVSS score is 2.3, indicating a low overall severity. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with permission to template that references a user token such as #ActingUserName# or #UserName#. A successful attack would result in arbitrary data being injected into the payloads sent to third‑party endpoints, potentially breaching confidentiality or causing downstream systems to misinterpret data. Because the flaw does not allow remote code execution or privilege escalation, the risk remains relatively contained yet requires timely mitigation.

Generated by OpenCVE AI on June 25, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bitwarden Server to version 2026.5.0 or later.
  • If an upgrade is not immediately possible, restrict or remove event integration templates that reference user‑controlled tokens or disable webhook integration for untrusted users.
  • Enforce stricter validation on user display names to block JSON metacharacters, allowing only safe alphanumeric characters and spaces.

Generated by OpenCVE AI on June 25, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Bitwarden
Bitwarden server
Vendors & Products Bitwarden
Bitwarden server

Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens(), which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template references a user-controlled token (such as #ActingUserName# or #UserName#, populated from a member's display name), an authenticated member can set their display name to JSON metacharacters and inject arbitrary key-value pairs into the rendered payloads delivered to webhook, SIEM, Slack, Teams, or Datadog endpoints, making injected fields indistinguishable from legitimate template output.
Title Bitwarden Server < 2026.5.0 JSON Injection via Webhook Templates
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Bitwarden Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T19:09:33.881Z

Reserved: 2026-06-24T15:58:58.537Z

Link: CVE-2026-57522

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:15:04Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')