CVE-2026-57521 | Bitwarden Server before 2026.5.0 contains a broken access co… | CVSS 4.3 MEDIUM

Description

Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data.

Metadata

CVE ID: CVE-2026-57521
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-24 15:58 UTC
Published: 2026-06-25 19:09 UTC
Last updated: 2026-06-25 19:09 UTC
Primary CWE: CWE-862
Missing Authorization
Vendor / Product: bitwarden / server
Sources: cve.org · NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
bitwarden	server	—	0 < 2026.5.0

Weakness (CWE)

CWE	Source	Description
CWE-862	cna	Missing Authorization

CVSS scores (2)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
4.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)