No advisories yet.
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Fri, 26 Jun 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 26 Jun 2026 01:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Bitwarden
Bitwarden server |
|
| Vendors & Products |
Bitwarden
Bitwarden server |
Thu, 25 Jun 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data. | |
| Title | Bitwarden Server < 2026.5.0 Broken Access Control via PreviewInvoiceController | |
| Weaknesses | CWE-862 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-26T13:21:10.688Z
Reserved: 2026-06-24T15:58:58.537Z
Link: CVE-2026-57521
Updated: 2026-06-26T13:21:07.126Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-06-26T01:15:04Z