What is CVE-2026-34841?

CVE-2026-34841 is a critical-severity vulnerability in Usebruno Bruno, classified under Download of Code Without Integrity Check. CVSS score: 9.8/10. Published 2026-04-06.

How severe is CVE-2026-34841?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Vulnerability in Usebruno Bruno

CVE-2026-34841

Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platfor…

EPSS: 0.000 (8.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Usebruno Bruno — versions < 3.2.1

Weakness classification (CWE)

References

https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g (x_refsource_CONFIRM)
https://github.com/axios/axios/issues/10604 (x_refsource_MISC)
https://github.com/usebruno/bruno/pull/7632 (x_refsource_MISC)
https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-34841?: CVE-2026-34841 is a critical-severity vulnerability in Usebruno Bruno, classified under Download of Code Without Integrity Check. CVSS score: 9.8/10. Published 2026-04-06.
How severe is CVE-2026-34841?: Critical severity. CVSS v3 base score is 9.8 out of 10.