CVE-2026-57521

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N                                    

Vulnerability Description

Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data.

Vulnerability Details

Published Date

June 25, 2026

Last Modified

June 25, 2026

CWE ID

CWE-862

Source

NVD

Vendor

bitwarden

Product

server

External References

https://github.com/bitwarden/server/commit/0a3d9f9deb7d407503207b0d0ca8f0165a890bee
https://github.com/bitwarden/server/pull/7583
https://github.com/bitwarden/server/releases/tag/v2026.5.0
https://sanjokkarki.com.np/blog/bitwarden-preview-invoice-idor
https://www.vulncheck.com/advisories/bitwarden-server-broken-access-control-via-previewinvoicecontroller

CVE-2026-57521

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment