Bitwarden Server versions prior to 2026.5.0 expose a broken access control flaw in the PreviewInvoiceController. The flaw allows any authenticated user to request billing information for any organization by supplying an arbitrary organizationId. The vulnerability removes the expected ManageOrganizationBillingRequirement checks, letting the attacker retrieve Stripe‑computed tax totals, subscription status, and other billing details that belong to other organizations. This can lead to the disclosure of sensitive financial information and undermines the confidentiality of client billing data.

Bitwarden Server (bitwarden:server); all deployments using versions earlier than 2026.5.0 are affected. The vulnerability specifically targets the preview invoice endpoints that do not enforce proper organization membership or role checks.

The CVSS score of 5.3 classifies the flaw as moderate severity, but because the data exposed is sensitive financial information, the risk to the organization is significant. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only an authenticated user account; no privilege escalation or external network access is needed beyond the normal login. Attack vectors are internal or remote attackers who can authenticate to the Bitwarden Server. This makes the flaw highly actionable for attackers who already have user credentials, which may be common even in multi‑tenant environments.