CVE-2026-42994 Overview
CVE-2026-42994 affects the Bitwarden command-line interface (CLI) version 2026.4.0 distributed through npm during a narrow window between 2026-04-22T21:57Z and 2026-04-22T23:30Z. The compromised package contained embedded malicious code introduced through the Checkmarx supply chain incident. Users who installed bitwarden:cli from npm during this window received a tampered build capable of executing attacker-controlled logic. The issue maps to CWE-78 (OS Command Injection) and CWE-94 (Code Injection).
Critical Impact
Developers and automation pipelines that pulled Bitwarden CLI 2026.4.0 from npm during the affected window executed malicious code with the privileges of the invoking user or CI/CD runner.
Affected Products
- Bitwarden CLI 2026.4.0 (npm distribution only)
- Bitwarden CLI installations performed between 2026-04-22T21:57Z and 2026-04-22T23:30Z
- Downstream pipelines and container images that pinned the affected npm artifact
Discovery Timeline
- 2026-05-01 - CVE-2026-42994 published to NVD
- 2026-05-04 - Last updated in NVD database
Technical Details for CVE-2026-42994
Vulnerability Analysis
The Bitwarden CLI npm package distributed during the affected 93-minute window included unauthorized code unrelated to Bitwarden's official source. Because the CLI is invoked with elevated trust by developers, build systems, and secret-management workflows, the malicious payload executed in environments that frequently hold credentials, vault sessions, and access tokens. The incident is tied to the broader Checkmarx supply chain compromise documented in the Bitwarden Supply Chain Incident Statement.
Root Cause
The root cause is a third-party supply chain compromise, not a defect in Bitwarden's source code. An upstream tooling provider (Checkmarx) involved in the publishing pipeline was abused to inject code into the published artifact. The tampered package was signed and uploaded as a legitimate release, so standard npm integrity checks did not flag the package during the active window.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction beyond a normal npm install of the affected version. Any CI runner, developer workstation, or container build that resolved @bitwarden/cli@2026.4.0 from the npm registry during the window pulled the malicious code. Execution occurred when the CLI was invoked, allowing the embedded payload to run shell commands and inject code paths in the calling process context.
No public exploit code or proof-of-concept has been released for this incident.
Detection Methods for CVE-2026-42994
Indicators of Compromise
- Installation or lockfile entries referencing @bitwarden/cli version 2026.4.0 resolved from the npm registry between 2026-04-22T21:57Z and 2026-04-22T23:30Z.
- Unexpected outbound network connections from hosts or build runners shortly after invoking bw commands.
- package-lock.json, yarn.lock, or pnpm-lock.yaml integrity hashes for @bitwarden/cli@2026.4.0 that do not match the post-incident republished artifact.
Detection Strategies
- Audit artifact repositories, CI caches, and container layers for the affected version and timestamp range.
- Inspect process telemetry for node or bw processes spawning unexpected shells, network utilities, or credential-access commands.
- Correlate npm install events from build logs against the compromise window to identify exposed pipelines.
Monitoring Recommendations
- Continuously monitor developer endpoints and CI/CD systems for anomalous child processes of bw and node.
- Alert on outbound DNS or HTTPS connections to domains not previously contacted by build infrastructure.
- Track changes to environment variables and secret stores following any execution of the affected CLI version.
How to Mitigate CVE-2026-42994
Immediate Actions Required
- Uninstall @bitwarden/cli@2026.4.0 and reinstall a clean version published outside the compromise window.
- Rotate any Bitwarden vault credentials, API keys, and session tokens that may have been accessible during execution of the affected CLI.
- Invalidate and reissue secrets exposed to CI/CD runners that executed the compromised build.
- Review the Bitwarden Supply Chain Incident Statement and apply the vendor's recommended steps.
Patch Information
Bitwarden republished the CLI on npm after removing the malicious artifact. Install a version published after 2026-04-22T23:30Z and verify the package integrity hash against the official release. Refer to the Bitwarden Supply Chain Incident Statement for the exact replacement version and validation guidance.
Workarounds
- Pin @bitwarden/cli to a known-good version released before 2026-04-22T21:57Z until upgrading to the republished artifact.
- Restrict npm installs to vetted registries and enforce package integrity checks via npm ci with verified lockfile hashes.
- Isolate Bitwarden CLI execution to ephemeral containers without long-lived credentials until remediation is confirmed.
# Remove and reinstall a clean Bitwarden CLI version
npm uninstall -g @bitwarden/cli
npm cache clean --force
npm install -g @bitwarden/cli@latest
# Verify installed version is not the affected build
bw --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
