Bitwarden Server < 2026.5.0 Broken Access Control via PreviewInvoiceController

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data.

Basic Information

ID CVE-2026-57521

Source VulnCheck

Published Jun 25, 2026 at 19:09

Affected Product

Vendor bitwarden

Product server

Affected Versions bitwarden server 0

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data.",
    "published": "2026-06-25T19:09:08.990Z",
    "modified": "2026-06-25T19:09:08.990Z",
    "type": "cve",
    "title": "Bitwarden Server < 2026.5.0 Broken Access Control via PreviewInvoiceController",
    "source": "VulnCheck",
    "references": "https://sanjokkarki.com.np/blog/bitwarden-preview-invoice-idor\nhttps://github.com/bitwarden/server/releases/tag/v2026.5.0\nhttps://github.com/bitwarden/server/pull/7583\nhttps://github.com/bitwarden/server/commit/0a3d9f9deb7d407503207b0d0ca8f0165a890bee\nhttps://www.vulncheck.com/advisories/bitwarden-server-broken-access-control-via-previewinvoicecontroller",
    "id": "CVE-2026-57521",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "bitwarden server 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "server",
    "version": "0",
    "vendor": "bitwarden",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Bitwarden Server < 2026.5.0 Broken Access Control via PreviewInvoiceController_CVE-2026-57521