CVE-2026-57521

Bitwarden Server < 2026.5.0 Broken Access Control via PreviewInvoiceController

CVSS 5.3 MEDIUMEPSS 0.2%CWE-862

Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Productos afectados

bitwarden · server

PoCs públicas encontradas — 1

cve_referencesanjokkarki.com.np/blog/bitwarden-preview-invoice-idorno verificado

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/bitwarden/server/commit/0a3d9f9deb7d407503207b0d0ca8f0165a890bee https://github.com/bitwarden/server/pull/7583 https://github.com/bitwarden/server/releases/tag/v2026.5.0 https://sanjokkarki.com.np/blog/bitwarden-preview-invoice-idor https://www.vulncheck.com/advisories/bitwarden-server-broken-access-control-via-previewinvoicecontroller