Supply Chain Attack in Bruno IDE Affecting API Exploration Tools
CVE-2026-34841

9.8CRITICAL

Key Information:

Vendor

Usebruno

Status
Bruno
Vendor
CVE Published:
6 April 2026

What is CVE-2026-34841?

The Bruno IDE, utilized for exploring and testing APIs, faced a supply chain attack due to compromised versions of the axios npm package. This vulnerability allowed for the injection of a cross-platform Remote Access Trojan (RAT) during the installation process. Specifically, users of the @usebruno/cli who executed npm install between 00:21 UTC and approximately 03:30 UTC on March 31, 2026, may have installed a version impacted by this security breach. It is vital for users to upgrade to version 3.2.1 or later to safeguard against potential exploitation.

Affected Version(s)

bruno < 3.2.1

References

https://github.com/usebruno/bruno/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/axios/axios/issues/10604
x_refsource_MISC
https://github.com/usebruno/bruno/pull/7632
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.