CVE Catalog

CVE-2026-42994

Critical
Published: Translated: NVD NIST

Summary

Bitwarden CLI version 2026.4.0, obtained from npm on April 22, 2026, contained embedded malicious code. This incident is related to a Checkmarx supply chain issue.

Risk Assessment

The malicious code may lead to the compromise of user data and breaches of organizational security. Users could be exposed to attacks and loss of sensitive information.

Recommendation

It is recommended to immediately remove the installed version of Bitwarden CLI and update to the latest, secure version. A security audit of potentially affected systems should also be conducted.

Original NVD description (English source)

Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, when obtained from npm, had embedded malicious code. This is related to a Checkmarx supply chain incident.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS