CVE-2026-57521
Bitwarden Server < 2026.5.0 Broken Access Control via PreviewInvoiceController
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data.
| CWE | CWE-862 |
| Vendor | bitwarden |
| Product | server |
| Published | Jun 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for bitwarden server
Be the first to know when new medium vulnerabilities affecting bitwarden server are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
bitwarden / server
0 < 2026.5.0
References
sanjokkarki.com.np: https://sanjokkarki.com.np/blog/bitwarden-preview-invoice-idor github.com: https://github.com/bitwarden/server/releases/tag/v2026.5.0 github.com: https://github.com/bitwarden/server/pull/7583 github.com: https://github.com/bitwarden/server/commit/0a3d9f9deb7d407503207b0d0ca8f0165a890bee vulncheck.com: https://www.vulncheck.com/advisories/bitwarden-server-broken-access-control-via-previewinvoicecontroller
Credits
Sanjok Karki