Vulnerability DatabaseCVE-2026-57521
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-57521
Published:June 25, 2026
Updated:June 29, 2026
Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data.
Affected Packages
https://github.com/bitwarden/server.git (GITHUB):
Affected version(s) >=v1.0.0 <v2026.5.0
Fix Suggestion:
Update to version v2026.5.0
Related Resources (5)
https://sanjokkarki.com.np/blog/bitwarden-preview-invoice-idor
https://www.vulncheck.com/advisories/bitwarden-server-broken-access-control-via-previewinvoicecontroller
https://github.com/bitwarden/server/commit/0a3d9f9deb7d407503207b0d0ca8f0165a890bee
https://github.com/bitwarden/server/pull/7583
https://github.com/bitwarden/server/releases/tag/v2026.5.0
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Missing Authorization
CWE-862
EPSS
Base Score:
0.21