Skip to main content

FOSSBilling CVE-2026-27708

| EUVDEUVD-2026-39052 HIGH
Improper Access Control (CWE-284)
2026-06-24 GitHub_M
7.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-facing API with a low-privilege client account (PR:L), no user interaction, trivial complexity; impact is read-only PII disclosure so C:H with I:N/A:N and unchanged scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 20:22 vuln.today
Analysis Generated
Jun 24, 2026 - 20:22 vuln.today

DescriptionCVE.org

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach - attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0.

AnalysisAI

Insecure direct object reference (IDOR) in FOSSBilling's Servicecustom Client API (versions 0.7.2 and prior) lets any authenticated client retrieve another client's custom service records by supplying a guessed sequential order_id, because the __call method fetches the order without an ownership check. The exposed data includes other clients' PII (name, email, phone, address, company details, VAT number) and service configuration, making this a cross-tenant confidentiality breach. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege client account
Delivery
Call Servicecustom API with foreign order_id
Exploit
Bypass missing ownership check
Execution
Enumerate sequential order IDs
Impact
Harvest other clients' PII and service data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated FOSSBilling client account (CVSS PR:L) and an instance that exposes the Servicecustom Client API; the attacker calls its __call method with an attacker-chosen order_id that they do not own. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, score 7.1) accurately reflects a network-reachable, low-complexity flaw requiring only a low-privilege authenticated client account, with high confidentiality impact and no integrity or availability impact - consistent with read-only PII disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already holds a low-privilege client account on a FOSSBilling instance, then repeatedly calls the Servicecustom Client API while incrementing the order_id parameter through sequential values. For each ID belonging to another client, the API returns that client's custom service configuration and personal data, allowing bulk harvesting of PII across the entire customer base. …
Remediation Vendor-released patch: 0.8.0 - upgrade FOSSBilling to 0.8.0 or later (https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0), reviewing the advisory at https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-p36w-9x66-488j first. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all FOSSBilling deployments and confirm whether any run version 0.7.2 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-27708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy