Vulnerability Description
Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens(), which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template references a user-controlled token (such as #ActingUserName# or #UserName#, populated from a member's display name), an authenticated member can set their display name to JSON metacharacters and inject arbitrary key-value pairs into the rendered payloads delivered to webhook, SIEM, Slack, Teams, or Datadog endpoints, making injected fields indistinguishable from legitimate template output.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitwarden | Server | < 2026.5.0 |
Related Weaknesses (CWE)
References
- https://github.com/bitwarden/server/commit/a26afd18130ef985ede5c97d277820d045185Patch
- https://github.com/bitwarden/server/pull/7593Issue Tracking
- https://github.com/bitwarden/server/releases/tag/v2026.5.0Release Notes
- https://sanjokkarki.com.np/blog/bitwarden-webhook-json-injectionExploitThird Party AdvisoryPatch
- https://www.vulncheck.com/advisories/bitwarden-server-json-injection-via-webhookThird Party Advisory
FAQ
What is CVE-2026-57522?
CVE-2026-57522 is a vulnerability with a CVSS score of 3.5 (LOW). Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens(), which substitutes user-controlled values into event-integration templates with...
How severe is CVE-2026-57522?
CVE-2026-57522 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-57522?
Check the references section above for vendor advisories and patch information. Affected products include: Bitwarden Server.