CVE-2026-54728
Received Received - Intake

Privilege Escalation in BunkerWeb via Host Header

Vulnerability report for CVE-2026-54728, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). Prior to BunkerWeb 1.6.12 and BunkerWeb PRO 0.57, authenticated Host header handling in the BunkerWeb UI and API improperly validated and neutralized user-controlled input in a configuration-dependent path, allowing a low-privileged authenticated user to escalate privileges and affect confidentiality, integrity, and availability of the BunkerWeb instance. This issue is fixed in BunkerWeb version 1.6.12 and BunkerWeb PRO version 0.57.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
bunkerity bunkerweb 1.6.12
bunkerity bunkerweb_pro 0.57
bunkerity bunkerweb to 1.6.12 (exc)
bunkerity bunkerweb_pro to 0.57 (exc)
bunkerweb bunkerweb to 1.6.12 (exc)
bunkerweb bunkerweb_pro to 0.57 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an authenticated privilege escalation flaw in BunkerWeb versions below 1.6.12. It allows low-privileged authenticated users to inject a crafted Host header, influencing Biscuit authentication token generation. This can grant elevated privileges, including administrative access, but only when the UI/API are directly exposed without BunkerWeb or a reverse proxy handling virtual host validation.

Detection Guidance

To detect this vulnerability, check if your BunkerWeb instance is running a version below 1.6.12 (or BunkerWeb PRO below 0.57). Use commands like 'bwcli version' or check the web UI/API version. If the UI/API is directly exposed without a reverse proxy, it may be vulnerable. Inspect logs for unusual Host header values or privilege escalation attempts.

Impact Analysis

The impact includes potential privilege escalation for authenticated users, leading to unauthorized administrative access. This can affect confidentiality, integrity, and availability of the BunkerWeb instance. The vulnerability requires a valid low-privileged account and is not exploitable by unauthenticated attackers.

Compliance Impact

This vulnerability allows low-privileged authenticated users to escalate privileges and gain administrative access, which could lead to unauthorized access to sensitive data. This may violate GDPR's data protection requirements for confidentiality and integrity, and HIPAA's safeguards for protected health information if such data is involved.

Mitigation Strategies

Upgrade BunkerWeb to version 1.6.12 or BunkerWeb PRO to 0.57 immediately. If upgrading is not possible, restrict direct access to the UI/API by placing it behind a reverse proxy that handles virtual host validation. Ensure all low-privileged accounts are reviewed for suspicious activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54728. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart