Skip to main content

FOSSBilling CVE-2026-43920

MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-06-26 security-advisories@github.com
6.9
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Unauthenticated network endpoint executes DROP TABLE and full session-token regeneration without constraint, warranting I:H and A:H despite predefined patch scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 26, 2026 - 00:35 vuln.today
Analysis Generated
Jun 26, 2026 - 00:35 vuln.today

DescriptionCVE.org

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, which allowed unauthenticated remote users to trigger update patch routines that modify configuration files, execute database schema changes, perform filesystem mutations, and clear caches. The /run-patcher endpoint executes privileged maintenance operations - configuration migrations, database patch execution (including ALTER TABLE, DROP TABLE, UPDATE statements), filesystem deletions and renames, and cache clearing - without requiring administrator authentication, CSRF validation, or CLI context. An unauthenticated remote attacker can trigger these operations by sending a simple HTTP GET request to /run-patcher, which can be abused for denial-of-service attacks. Certain patches (e.g., batch token regeneration for all admin and client accounts in patch 53, and session invalidation) are disruptive even when re-executed against an already-patched instance. Repeated or concurrent requests may also cause inconsistent database state. This issue has been fixed in version 0.8.0.

AnalysisAI

Unauthenticated remote access to the /run-patcher maintenance endpoint in FOSSBilling versions 0.5.4 through 0.7.2 allows any network-reachable attacker to trigger privileged database schema changes (including ALTER TABLE and DROP TABLE), configuration file migrations, filesystem mutations, and batch token regeneration for all admin and client accounts via a single HTTP GET request. The attack requires no credentials, no CSRF token, and no special headers, making it trivially automatable against any publicly exposed instance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed FOSSBilling instance on versions 0.5.4-0.7.2
Delivery
Send unauthenticated HTTP GET to /run-patcher
Exploit
Application executes all predefined patch routines
Execution
Patch 53 regenerates tokens for every admin and client account
Persist
All active sessions invalidated, locking out legitimate users
Impact
Repeat concurrent requests to corrupt database schema state

Vulnerability AssessmentAI

Exploitation The /run-patcher HTTP endpoint must be reachable over the network - no authentication, CSRF token, session cookie, or special HTTP headers are required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 score of 6.9 (VI:L/VA:L) is likely conservative relative to the described impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a single HTTP GET request to https://[target-fossbilling]/run-patcher with no authentication headers; the server executes all pending patch routines including patch 53, which regenerates tokens for every admin and client account and invalidates all active sessions, effectively locking out all current users. The attacker then sends concurrent or repeated requests to cause database state inconsistency, potentially corrupting schema state and producing cascading application errors. …
Remediation Upgrade to FOSSBilling 0.8.0, released 2026-05-28, which resolves this vulnerability along with several other security issues including hardened session and cookie handling and rate-limit improvements. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-43920 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy