CVE-2026-57521
Bitwarden Server < 2026.5.0 Broken Access Control via PreviewInvoiceController
Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Productos afectados
bitwarden · serverPoCs públicas encontradas — 1
cve_referencesanjokkarki.com.np/blog/bitwarden-preview-invoice-idorno verificado⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.
¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://github.com/bitwarden/server/commit/0a3d9f9deb7d407503207b0d0ca8f0165a890beehttps://github.com/bitwarden/server/pull/7583https://github.com/bitwarden/server/releases/tag/v2026.5.0https://sanjokkarki.com.np/blog/bitwarden-preview-invoice-idorhttps://www.vulncheck.com/advisories/bitwarden-server-broken-access-control-via-previewinvoicecontroller