CVE-2026-57521
Undergoing Analysis Undergoing Analysis - In Progress
Bitwarden Server Missing Authorization in Billing Data Access

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: VulnCheck

Description
Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-57521
EUVD
EUVD-2026-39542
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bitwarden server to 2026.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-57521 is a broken access control vulnerability in Bitwarden Server versions before 2026.5.0. It allows any authenticated user to access sensitive billing data of arbitrary organizations by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints. This happens because the endpoints lack proper authorization checks, specifically the missing ManageOrganizationBillingRequirement, which means users who are not members or owners of an organization can still retrieve billing details such as Stripe-computed tax totals, subscription status, and other billing information.

The vulnerability arises from the PreviewInvoiceController loading organization data from the route without verifying the user's membership or role, enabling unauthorized access to billing data. The fix involved adding authorization requirements to the affected endpoints to ensure only users with appropriate permissions (organization owners or billing managers) can access this information.

Impact Analysis

This vulnerability can impact you by allowing any authenticated user, including potential attackers within the system, to access sensitive billing information of any organization without proper authorization. This includes access to Stripe-computed tax totals, subscription statuses, and detailed billing data derived from real customer and subscription information.

Such unauthorized access can lead to privacy violations, exposure of confidential financial data, and potential misuse of billing information. It undermines the confidentiality of organizational billing data and could facilitate further attacks or fraud.

Detection Guidance

This vulnerability can be detected by attempting to access the PreviewInvoiceController endpoints with an arbitrary organizationId while authenticated as a non-member or unauthorized user. If the system returns billing data without proper authorization checks, it indicates the presence of the vulnerability.

Specifically, you can test the endpoints POST /subscription/plan-change and PUT /subscription/update by sending requests with organizationIds for organizations you do not belong to. Successful retrieval of billing data such as Stripe-computed tax totals or subscription status without proper permissions indicates the vulnerability.

Example commands using curl might be:

  • curl -X POST -H "Authorization: Bearer <token>" https://<bitwarden-server>/api/previewinvoice/subscription/plan-change -d '{"organizationId": "<target-org-id>"}'
  • curl -X PUT -H "Authorization: Bearer <token>" https://<bitwarden-server>/api/previewinvoice/subscription/update -d '{"organizationId": "<target-org-id>"}'

Replace <token> with a valid authentication token for a user who is not a member or owner of the target organization, and <target-org-id> with the ID of an organization you want to test against.

Mitigation Strategies

The immediate mitigation step is to upgrade the Bitwarden Server to version 2026.5.0 or later, where this vulnerability has been fixed.

The fix involves adding proper authorization checks requiring the ManageOrganizationBillingRequirement on the PreviewInvoiceController endpoints, ensuring only organization owners or users with appropriate billing permissions can access sensitive billing data.

Until the upgrade is applied, restrict access to the PreviewInvoiceController endpoints or monitor and block suspicious requests that attempt to access billing data with arbitrary organizationIds.

Compliance Impact

The vulnerability allows any authenticated user to access sensitive billing data of arbitrary organizations without proper authorization. This unauthorized access to billing and subscription details, including Stripe-computed tax totals and real customer data, could lead to exposure of personal and financial information.

Such unauthorized disclosure of sensitive data may impact compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and financial information. Failure to enforce proper authorization could result in violations of these standards, potentially leading to legal and regulatory consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57521. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart