CVE-2026-57521
Description
Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
References
- https://github.com/bitwarden/server/commit/0a3d9f9deb7d407503207b0d0ca8f0165a890bee
- https://github.com/bitwarden/server/pull/7583
- https://github.com/bitwarden/server/releases/tag/v2026.5.0
- https://sanjokkarki.com.np/blog/bitwarden-preview-invoice-idor
- https://www.vulncheck.com/advisories/bitwarden-server-broken-access-control-via-previewinvoicecontroller
CWEs
CWE-862
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.