FOSSBilling CVE-2026-43920
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network endpoint executes DROP TABLE and full session-token regeneration without constraint, warranting I:H and A:H despite predefined patch scope.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, which allowed unauthenticated remote users to trigger update patch routines that modify configuration files, execute database schema changes, perform filesystem mutations, and clear caches. The /run-patcher endpoint executes privileged maintenance operations - configuration migrations, database patch execution (including ALTER TABLE, DROP TABLE, UPDATE statements), filesystem deletions and renames, and cache clearing - without requiring administrator authentication, CSRF validation, or CLI context. An unauthenticated remote attacker can trigger these operations by sending a simple HTTP GET request to /run-patcher, which can be abused for denial-of-service attacks. Certain patches (e.g., batch token regeneration for all admin and client accounts in patch 53, and session invalidation) are disruptive even when re-executed against an already-patched instance. Repeated or concurrent requests may also cause inconsistent database state. This issue has been fixed in version 0.8.0.
AnalysisAI
Unauthenticated remote access to the /run-patcher maintenance endpoint in FOSSBilling versions 0.5.4 through 0.7.2 allows any network-reachable attacker to trigger privileged database schema changes (including ALTER TABLE and DROP TABLE), configuration file migrations, filesystem mutations, and batch token regeneration for all admin and client accounts via a single HTTP GET request. The attack requires no credentials, no CSRF token, and no special headers, making it trivially automatable against any publicly exposed instance. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The /run-patcher HTTP endpoint must be reachable over the network - no authentication, CSRF token, session cookie, or special HTTP headers are required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 score of 6.9 (VI:L/VA:L) is likely conservative relative to the described impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a single HTTP GET request to https://[target-fossbilling]/run-patcher with no authentication headers; the server executes all pending patch routines including patch 53, which regenerates tokens for every admin and client account and invalidates all active sessions, effectively locking out all current users. The attacker then sends concurrent or repeated requests to cause database state inconsistency, potentially corrupting schema state and producing cascading application errors. … |
| Remediation | Upgrade to FOSSBilling 0.8.0, released 2026-05-28, which resolves this vulnerability along with several other security issues including hardened session and cookie handling and rate-limit improvements. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today