FOSSBilling CVE-2026-53644
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated client account gives PR:L; endpoints are network-reachable with low complexity; reading secrets is C:H and resetting them is I:H; no availability impact so A:N.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an active state (e.g., suspended, canceled). The root cause is missing order-state validation in two client API endpoints, despite an isActive() helper already existing in the Serviceapikey module and the frontend UI correctly gating access on order.status == 'active'. Version 0.8.0 contains a fix. Some workarounds are available. If the Serviceapikey module is not needed, uninstall it to remove the affected endpoints. One may also use a reverse proxy or WAF to restrict access to /api/client/order/service and /api/client/serviceapikey/reset based on application-level order-state logic.
AnalysisAI
Broken object-level authorization in FOSSBilling 0.5.3 through 0.7.2 lets an authenticated client read and reset API key service secrets belonging to orders that are no longer active, such as suspended or canceled orders. Two client API endpoints skip the order-state check that the frontend UI and the module's own isActive() helper otherwise enforce, exposing high-value credentials to any logged-in customer for their non-active services. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated FOSSBilling client account (PR:L) that owns at least one order whose status is no longer 'active' - for example suspended or canceled - and the Serviceapikey module must be installed and enabled, since it exposes the /api/client/order/service and /api/client/serviceapikey/reset endpoints. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N, score 8.6) is internally consistent with the description: network-reachable, low complexity, requires low privileges (an authenticated client account), no user interaction, with high confidentiality and integrity impact and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A customer who owns a service whose order has been suspended or canceled logs into their FOSSBilling client portal and, instead of using the UI (which hides the option), directly calls /api/client/order/service or /api/client/serviceapikey/reset for that order. Because the endpoints do not verify the order is active, the attacker reads the still-valid API key secret or resets it, potentially regaining or disrupting programmatic access to a service they should no longer control. … |
| Remediation | Upgrade to FOSSBilling 0.8.0, which adds the missing order-state validation to both client API endpoints (Vendor-released patch: 0.8.0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all FOSSBilling instances running versions 0.5.3-0.7.2; isolate network access where possible; audit API key usage logs for suspicious activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today