FOSSBilling CVE-2026-53643
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable admin API needing an authenticated low-priv staff account (PR:L, AC:L); CWE-200 drives C:H, with limited integrity from 'unauthorized actions' (I:L) and no clear availability impact (A:N).
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow low-privileged staff accounts to perform unauthorized actions via admin API endpoints. The root cause is a combination of the can_always_access module flag (which grants all staff access to certain modules) and insufficient permission checks or unsafe parameter handling on individual endpoints. Version 0.8.0 contains a fix. Some workarounds are available. Restrict staff accounts to only those who need access to sensitive settings and/or use a reverse proxy or WAF to restrict access to the affected endpoints to trusted IP addresses or higher-privilege roles.
AnalysisAI
Privilege escalation and unauthorized access in FOSSBilling before 0.8.0 lets authenticated low-privileged staff accounts invoke admin API endpoints they should not reach, exposing sensitive data and enabling actions reserved for higher-privilege roles. The flaw stems from the framework-level can_always_access module flag combined with weak per-endpoint permission checks, so any staff login becomes a stepping stone to sensitive settings. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated low-privileged staff account on the FOSSBilling instance (PR:L) - it is not exploitable by fully anonymous internet users. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) describes a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with high confidentiality, integrity, and availability impact on the vulnerable system - a genuinely serious rating of 8.7. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or obtains a low-privileged FOSSBilling staff account (for example, a support agent or a compromised junior operator credential) sends crafted requests to admin API endpoints protected only by the can_always_access grant. Because per-endpoint permission checks are insufficient, they read sensitive configuration or client data and potentially perform administrative actions beyond their role. … |
| Remediation | Upgrade to FOSSBilling 0.8.0, which contains the official fix - Vendor-released patch: 0.8.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify and document all FOSSBilling deployments and their current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today