CVE-2024-39926 – This CVE describes a stored cross-site scriptin... (How to Fix)

Q: What is the severity of CVE-2024-39926?

CVE-2024-39926 has a CVSS score of 5.4 (MEDIUM). This CVE describes a stored cross-site scripting (XSS) or HTML injection vulnerability in Vaultwarden's admin dashboard. Authenticated attackers can inject malicious code that executes in administrators' browsers when viewing the dashboard. The default Content Security Policy (CSP) significantly reduces exploitation risk, but the vulnerability still exists.

📋 TL;DR

This CVE describes a stored cross-site scripting (XSS) or HTML injection vulnerability in Vaultwarden's admin dashboard. Authenticated attackers can inject malicious code that executes in administrators' browsers when viewing the dashboard. The default Content Security Policy (CSP) significantly reduces exploitation risk, but the vulnerability still exists.

💻 Affected Systems

Products:

Vaultwarden (formerly Bitwarden_RS)

Versions: Up to and including 1.30.3

Operating Systems: All platforms running Vaultwarden

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the admin dashboard, not the main user interface. Requires attacker authentication.

📦 What is this software?

Vaultwarden by Dani Garcia

View all CVEs affecting Vaultwarden →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious user could inject JavaScript that steals administrator session tokens, performs actions as the administrator, or compromises the entire Vaultwarden instance.

🟠

Likely Case

Limited HTML injection that disrupts dashboard functionality or displays misleading information, but JavaScript execution is blocked by default CSP.

🟢

If Mitigated

Only benign HTML rendering with no script execution due to CSP protections.

🌐 Internet-Facing: MEDIUM - While CSP reduces risk, internet-facing instances could still be targeted by authenticated attackers.

🏢 Internal Only: MEDIUM - Internal attackers with valid credentials could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple injection in admin interface fields.

Exploitation requires authenticated access to the admin dashboard. Default CSP blocks most script execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.32.0

Vendor Advisory: https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0

Restart Required: Yes

Instructions:

1. Backup your Vaultwarden data and configuration. 2. Update to Vaultwarden 1.32.0 or later. 3. Restart the Vaultwarden service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit admin dashboard access to trusted users only and implement strong authentication.

Enhance CSP

all

Strengthen Content Security Policy headers to further restrict script execution.

🧯 If You Can't Patch

Restrict admin dashboard access to specific IP addresses or VPN-only connections.
Implement web application firewall (WAF) rules to detect and block XSS payloads.

🔍 How to Verify

Check if Vulnerable:

Check if running Vaultwarden version 1.30.3 or earlier. Review admin dashboard for any unexpected HTML content.

Check Version:

docker exec vaultwarden vaultwarden --version (if using Docker) or check the Vaultwarden web interface footer.

Verify Fix Applied:

Confirm Vaultwarden version is 1.32.0 or later. Test admin dashboard functionality remains intact.

📡 Detection & Monitoring

Log Indicators:

Unusual admin dashboard access patterns
Suspicious POST requests to admin endpoints with HTML/script content

Network Indicators:

HTTP requests containing script tags or JavaScript in admin dashboard parameters

SIEM Query:

source="vaultwarden" AND (uri_path="/admin/*" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2024-39926

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: September 13, 2024

Last Updated: July 10, 2025

🔗 References

https://github.com/dani-garcia/vaultwarden/blob/1.30.3/src/static/scripts/admin_users.js#L201 Product
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0 Release Notes
https://www.mgm-sp.com/cve/html-injection-in-vaultwarden Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39926, you might also want to check these: