Skip to main content

Hostbill CVE-2026-31051

| EUVDEUVD-2026-25423 LOW
Uncontrolled Resource Consumption (CWE-400)
2026-04-24 mitre GHSA-m9pp-9784-85qg
3.8
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.8 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Apr 24, 2026 - 17:22 vuln.today
CVSS changed
Apr 24, 2026 - 17:22 NVD
3.8 (LOW)
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25423
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 00:00 nvd
LOW 3.8

DescriptionCVE.org

An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of service via the Client Balance component

AnalysisAI

Denial of service via improper resource handling in the Client Balance component of Hostbill v.2025-11-24 and v.2025-12-01 allows high-privileged remote attackers to disrupt service availability and trigger limited integrity impacts. The vulnerability stems from insufficient input validation in CWE-400 (Uncontrolled Resource Consumption), requiring administrator-level access but presenting moderate real-world risk due to the low attack complexity and network accessibility of the affected component.

Technical ContextAI

The vulnerability resides in Hostbill's Client Balance component, a critical billing and account management feature. CWE-400 (Uncontrolled Resource Consumption / 'Billion Laughs') indicates improper handling of resource allocation-typically involving unbounded loops, excessive memory allocation, or uncontrolled object creation triggered by crafted input. The Client Balance component likely processes financial transactions and account metadata without proper bounds checking. The network-accessible attack vector (AV:N) combined with low attack complexity (AC:L) suggests the vulnerable endpoint accepts remote HTTP/API requests, but the requirement for high privileges (PR:H) limits exposure to admin accounts or authenticated backend processes. The integrity impact (I:L) alongside availability loss suggests partial data modification may accompany the denial of service, such as balance corruption.

RemediationAI

Apply the patched version released after 2025-12-01 as documented in the Hostbill security advisory at https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/. The exact fix version is not specified in available data; contact Hostbill support or consult their release notes for the current patched build. Until patching is feasible, implement the following compensating controls: (1) Restrict administrator access to the Client Balance component via role-based access control (RBAC) - limit admin privileges to only necessary users and segregate billing administration from general system administration; this reduces the attack surface by minimizing high-privilege accounts. (2) Monitor Client Balance API and component access logs for anomalous resource consumption patterns, such as repeated rapid requests or unusually large batch operations that may indicate exploitation attempts. (3) Implement rate limiting on Client Balance endpoints at the reverse proxy or API gateway layer to prevent resource exhaustion, with trade-off of potential blocking of legitimate bulk operations. (4) Disable or restrict access to the Client Balance component from untrusted networks, leaving it accessible only from internal staff or whitelisted IPs. Note that these controls do not eliminate the vulnerability but reduce feasibility and detectability of attacks. Patch as soon as available.

Share

CVE-2026-31051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy