Skip to main content

FOSSBilling CVE-2026-53643

HIGH
Information Exposure (CWE-200)
2026-07-06 security-advisories@github.com
8.7
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Network-reachable admin API needing an authenticated low-priv staff account (PR:L, AC:L); CWE-200 drives C:H, with limited integrity from 'unauthorized actions' (I:L) and no clear availability impact (A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 23:32 vuln.today

DescriptionCVE.org

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow low-privileged staff accounts to perform unauthorized actions via admin API endpoints. The root cause is a combination of the can_always_access module flag (which grants all staff access to certain modules) and insufficient permission checks or unsafe parameter handling on individual endpoints. Version 0.8.0 contains a fix. Some workarounds are available. Restrict staff accounts to only those who need access to sensitive settings and/or use a reverse proxy or WAF to restrict access to the affected endpoints to trusted IP addresses or higher-privilege roles.

AnalysisAI

Privilege escalation and unauthorized access in FOSSBilling before 0.8.0 lets authenticated low-privileged staff accounts invoke admin API endpoints they should not reach, exposing sensitive data and enabling actions reserved for higher-privilege roles. The flaw stems from the framework-level can_always_access module flag combined with weak per-endpoint permission checks, so any staff login becomes a stepping stone to sensitive settings. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged staff
Delivery
Call can_always_access admin API endpoint
Exploit
Bypass insufficient permission check
Execution
Read sensitive data or perform unauthorized action
Impact
Escalate access to privileged settings

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated low-privileged staff account on the FOSSBilling instance (PR:L) - it is not exploitable by fully anonymous internet users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) describes a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with high confidentiality, integrity, and availability impact on the vulnerable system - a genuinely serious rating of 8.7. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or obtains a low-privileged FOSSBilling staff account (for example, a support agent or a compromised junior operator credential) sends crafted requests to admin API endpoints protected only by the can_always_access grant. Because per-endpoint permission checks are insufficient, they read sensitive configuration or client data and potentially perform administrative actions beyond their role. …
Remediation Upgrade to FOSSBilling 0.8.0, which contains the official fix - Vendor-released patch: 0.8.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify and document all FOSSBilling deployments and their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53643 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy