FOSSBilling CVE-2026-53642
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible web application, low-privilege authenticated client account required, no user interaction; confidentiality limited to financial data read with no integrity or availability impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when the "Require Email Confirmation" setting is enabled, a logged-in client with an unverified email address (email_approved = 0) can access all client-area pages (e.g. /client/balance, /client/order/list, /client/invoice) and read real account data, including wallet balances and transaction history. The API-side enforcement correctly restricts unverified clients to only profile-related endpoints, but the page-side enforcement is overly permissive, allowing any request whose path starts with /client. Version 0.8.0 contains a fix. No known workarounds that don't involve modifying the source code are available.
AnalysisAI
Incorrect authorization in FOSSBilling versions 0.5.6 through 0.7.2 allows authenticated clients with unverified email addresses to bypass the 'Require Email Confirmation' access control gate and read sensitive financial account data - including wallet balances and full transaction history - across all client-area pages. The application maintains two separate authorization layers: an API-level guard that correctly restricts unverified clients, and a page-level routing guard that is overly permissive, admitting any request whose URL path begins with /client, creating an exploitable enforcement gap. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The 'Require Email Confirmation' admin configuration setting must be explicitly enabled - FOSSBilling instances without this setting are not affected by this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) is a reasonable representation of real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a client account on a FOSSBilling instance that has 'Require Email Confirmation' enabled, deliberately skipping email verification. After logging in with the unverified account, they directly navigate to pages such as /client/balance, /client/order/list, or /client/invoice - URLs the page-level router permits because they begin with /client - and read sensitive financial data the application intended to hide from unverified users. … |
| Remediation | Upgrade FOSSBilling to version 0.8.0, which corrects the page-level authorization enforcement to match the existing API-layer restriction. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today