Cyber Resilience

CVE-2026-34841

CriticalRCE

Published: 06 April 2026

Published
06 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0023 14.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34841 is a critical-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Usebruno Bruno. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SA-12 (Supply Chain Protection).

Deeper analysis

CVE-2026-34841 is a supply chain vulnerability affecting Bruno, an open source IDE for exploring and testing APIs, in versions prior to 3.2.1. The issue arises from compromised versions of the axios npm package, which introduced a hidden dependency that deploys a cross-platform Remote Access Trojan (RAT). It specifically impacts users of the @usebruno/cli package who ran npm install between 00:21 UTC and approximately 03:30 UTC on March 31, 2026. The vulnerability is rated critical with a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-494 and CWE-506.

Any user executing the affected npm install command during the specified time window on March 31, 2026, could unwittingly deploy the RAT, with no privileges, authentication, or additional user interaction required. Attackers leveraging this supply chain compromise achieve high-impact remote access, enabling full compromise of confidentiality, integrity, and availability on the victim's system across platforms.

Advisories and patches, detailed in GitHub issues such as axios#10604 and Bruno pull request #7632, along with Bruno's security advisory GHSA-658g-p7jg-wx5g, recommend immediate upgrade to Bruno version 3.2.1 to remove the compromised dependency and prevent RAT deployment. Additional analysis is available from Aikido.dev.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access…

more

Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

The CVE describes a supply chain compromise where a malicious version of the axios dependency was used to deploy a RAT via npm install, directly mapping to compromise of software dependencies and development tools.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69263Shared CWE-494
CVE-2026-22865Shared CWE-494
CVE-2026-42575Shared CWE-494
CVE-2026-31976Shared CWE-506
CVE-2025-30154Shared CWE-506
CVE-2026-45321Shared CWE-506
CVE-2025-54313Shared CWE-506
CVE-2026-33634Shared CWE-506
CVE-2025-34212Shared CWE-494
CVE-2026-22816Shared CWE-494

Affected Assets

usebruno
bruno
≤ 3.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires verification of component authenticity for npm packages like the compromised axios, preventing installation of versions with hidden RAT dependencies.

prevent

Mandates protections against supply chain risks, directly addressing compromises in third-party open-source dependencies such as axios.

prevent

Enforces digital signing of software components, ensuring npm packages are verified for tampering before installation and RAT deployment.

References