Skip to main content

FOSSBilling CVE-2026-53644

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-06 security-advisories@github.com
8.6
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Authenticated client account gives PR:L; endpoints are network-reachable with low complexity; reading secrets is C:H and resetting them is I:H; no availability impact so A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 23:34 vuln.today

DescriptionCVE.org

FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an active state (e.g., suspended, canceled). The root cause is missing order-state validation in two client API endpoints, despite an isActive() helper already existing in the Serviceapikey module and the frontend UI correctly gating access on order.status == 'active'. Version 0.8.0 contains a fix. Some workarounds are available. If the Serviceapikey module is not needed, uninstall it to remove the affected endpoints. One may also use a reverse proxy or WAF to restrict access to /api/client/order/service and /api/client/serviceapikey/reset based on application-level order-state logic.

AnalysisAI

Broken object-level authorization in FOSSBilling 0.5.3 through 0.7.2 lets an authenticated client read and reset API key service secrets belonging to orders that are no longer active, such as suspended or canceled orders. Two client API endpoints skip the order-state check that the frontend UI and the module's own isActive() helper otherwise enforce, exposing high-value credentials to any logged-in customer for their non-active services. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as FOSSBilling client
Delivery
Identify own suspended/canceled order
Exploit
Call serviceapikey API endpoint directly
Execution
Bypass missing order-state check
Impact
Read or reset API key secret

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated FOSSBilling client account (PR:L) that owns at least one order whose status is no longer 'active' - for example suspended or canceled - and the Serviceapikey module must be installed and enabled, since it exposes the /api/client/order/service and /api/client/serviceapikey/reset endpoints. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N, score 8.6) is internally consistent with the description: network-reachable, low complexity, requires low privileges (an authenticated client account), no user interaction, with high confidentiality and integrity impact and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A customer who owns a service whose order has been suspended or canceled logs into their FOSSBilling client portal and, instead of using the UI (which hides the option), directly calls /api/client/order/service or /api/client/serviceapikey/reset for that order. Because the endpoints do not verify the order is active, the attacker reads the still-valid API key secret or resets it, potentially regaining or disrupting programmatic access to a service they should no longer control. …
Remediation Upgrade to FOSSBilling 0.8.0, which adds the missing order-state validation to both client API endpoints (Vendor-released patch: 0.8.0). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all FOSSBilling instances running versions 0.5.3-0.7.2; isolate network access where possible; audit API key usage logs for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53644 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy