Skip to main content

Hostbill CVE-2026-31052

| EUVDEUVD-2026-25424 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-04-24 mitre
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Apr 24, 2026 - 17:22 vuln.today
CVSS changed
Apr 24, 2026 - 17:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25424
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 00:00 nvd
MEDIUM 5.3

DescriptionCVE.org

An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of service via the Checkout Authentication Flow component

AnalysisAI

Denial of service in Hostbill versions 2025-11-24 and 2025-12-01 allows remote unauthenticated attackers to degrade service availability through the Checkout Authentication Flow component via uncontrolled resource consumption (likely improper rate limiting). The vulnerability has a low-to-moderate CVSS score (5.3) reflecting limited impact scope, but exploitation requires no authentication or user interaction and can be triggered over the network.

Technical ContextAI

The vulnerability resides in Hostbill's Checkout Authentication Flow component and is classified as CWE-400 (Uncontrolled Resource Consumption). This CWE category typically encompasses improper rate limiting, resource exhaustion, or denial of service conditions triggered by excessive requests or resource allocation within a specific code path. The affected component is part of the payment checkout process, which is typically exposed to unauthenticated users during transaction initiation. The GitHub reference to 'Rate Limit Bypass' in the disclosure repository suggests the root cause is insufficient or absent rate limiting controls on the authentication endpoint.

RemediationAI

Upgrade Hostbill to the patched version released after 2025-12-01; consult https://hostbillapp.com/release-notes/ or the vendor security advisory at https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/ for the exact fixed version number. As a compensating control pending upgrade, implement rate limiting at the reverse proxy or load balancer level targeting the Checkout Authentication Flow endpoint (typically /checkout/auth or similar) to restrict requests per IP address to a reasonable threshold (e.g., 10 requests per minute per source IP). Monitor checkout logs for spike patterns indicating resource exhaustion attempts. If the vendor advisory specifies a particular query parameter or request characteristic triggering the issue, implement WAF rules to block malformed requests to the affected endpoint. Note that external rate limiting does not address the underlying code defect and should be treated as temporary; vendor patch application is the permanent fix.

Share

CVE-2026-31052 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy