Skip to main content

Bitwarden Server EUVDEUVD-2026-39542

| CVE-2026-57521 MEDIUM
Missing Authorization (CWE-862)
2026-06-25 VulnCheck GHSA-3pr2-gvgh-h5qc
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-reachable IDOR requiring only a valid session (PR:L); no integrity or availability impact; confidentiality limited to billing metadata, not vault data.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 20:20 vuln.today
Analysis Generated
Jun 25, 2026 - 20:20 vuln.today

DescriptionCVE.org

Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data.

AnalysisAI

Broken access control in Bitwarden Server before 2026.5.0 exposes organization billing data to any authenticated user via an IDOR vulnerability in the PreviewInvoiceController endpoints. The missing ManageOrganizationBillingRequirement authorization check permits a valid session holder to supply an arbitrary organizationId and retrieve Stripe-derived billing details - including tax totals, subscription status, and customer data - for organizations they do not belong to. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as any valid Bitwarden user
Delivery
Enumerate or guess target organizationId values
Exploit
Send crafted request to PreviewInvoiceController with target organizationId
Execution
Server bypasses authorization check and proxies Stripe API call
Impact
Receive Stripe subscription status, tax totals, and billing details for target organization

Vulnerability AssessmentAI

Exploitation The attacker must possess a valid authenticated session on the target Bitwarden Server instance (PR:L); unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N) establishes a baseline score of 5.3, reflecting network reachability with low privilege requirements and limited confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding any valid authenticated session on a self-hosted Bitwarden Server instance - such as a personal account with no organizational affiliation - sends crafted HTTP requests to the PreviewInvoiceController endpoints, substituting the organizationId parameter with identifiers belonging to other organizations on the same server. Because no membership or billing permission check is enforced, the server proxies the request to Stripe and returns subscription status, tax data, and billing details for the target organization. …
Remediation Upgrade Bitwarden Server to version 2026.5.0 or later, available at https://github.com/bitwarden/server/releases/tag/v2026.5.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Server

View all
CVE-2026-43639 HIGH POC
8.9 May 11

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access

CVE-2026-43640 HIGH POC
8.6 May 11

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri

CVE-2019-25609 HIGH POC
8.6 Mar 22

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel

CVE-2026-57520 HIGH POC
7.1 Jun 25

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a

CVE-2026-49261 CRITICAL
9.8 Jun 11

OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes b

CVE-2026-43638 MEDIUM POC
5.3 May 11

Bitwarden Server prior to v2026.4.1 allows any authenticated user to write ciphers (encrypted credentials) into arbitrar

CVE-2026-4924 HIGH
8.2 Apr 01

Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by re

CVE-2026-4828 HIGH
8.2 Apr 01

Devolutions Server versions 2026.1.11 and earlier allow authenticated remote attackers to bypass multi-factor authentica

CVE-2026-4434 HIGH
8.1 Mar 20

Devolutions Server contains an improper certificate validation vulnerability in its PAM propagation WinRM connections th

CVE-2026-41161 MEDIUM
6.9 May 08

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version

CVE-2025-15316 MEDIUM
6.7 Feb 09

Tanium addressed a local privilege escalation vulnerability in Tanium Server. [CVSS 6.7 MEDIUM]

CVE-2025-15315 MEDIUM
6.7 Feb 09

Tanium addressed a local privilege escalation vulnerability in Tanium Module Server. [CVSS 6.7 MEDIUM]

Vendor StatusVendor

SUSE

Severity: Moderate

Share

EUVD-2026-39542 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy