Skip to main content

FOSSBilling CVE-2026-53646

HIGH
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-07-06 security-advisories@github.com
7.7
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network guest endpoint (PR:N) but AC:H because the attacker must already hold the unexpired original link, and UI:R since the victim must trigger a reset; account takeover yields full C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 06, 2026 - 23:38 vuln.today
CVE Published
Jul 06, 2026 - 23:16 cve.org
HIGH 7.7

DescriptionCVE.org

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a ClientPasswordReset record already exists for a client (from a previous unexpired reset request), subsequent calls to the reset_password guest API endpoint reuse the existing token instead of generating a new one. The 15-minute validity window is anchored to the first request's created_at timestamp, not the time of the most recent email. An attacker who obtained the original reset link remains able to use it even after the victim requests a new reset, because the original token is never invalidated or rotated. Version 0.8.0 patches the issue. Some workarounds are available. Configure a reverse proxy (e.g., Nginx, Apache, Cloudflare) to apply per-IP rate limiting to the /client/reset-password endpoint to minimize the window of opportunity, and/or manually clear expired client_password_reset records from the database after a client reports a suspected compromise.

AnalysisAI

Account takeover in FOSSBilling 0.5.6 through 0.7.2 arises because the reset_password guest API endpoint reuses an existing, unexpired ClientPasswordReset token rather than rotating it on each request. An attacker who has captured a victim's earlier reset link retains a valid path to hijack the account even after the victim requests a fresh reset, since the original token is never invalidated and its 15-minute window is anchored to the first request. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain victim's original reset link
Delivery
Victim requests new reset
Exploit
Endpoint reuses old unexpired token
Execution
Submit captured link within 15-min window
Persist
Set attacker-controlled password
Impact
Full account takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker has already obtained a valid, still-unexpired original password-reset link for the target client (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderate rather than emergency-grade. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains a victim's original password-reset link - for example via a leaked or forwarded email, shared inbox, or a URL captured in logs - waits for or observes the victim requesting a new reset. Because the original token is never rotated and remains valid for its full 15-minute window from first issuance, the attacker submits the old link to complete the reset and seize the account. …
Remediation Vendor-released patch: 0.8.0 - upgrade FOSSBilling to 0.8.0 or later, which corrects token rotation/invalidation, per advisory GHSA-vp66-w6rc-x32p (https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-vp66-w6rc-x32p). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all FOSSBilling instances running affected versions 0.5.6-0.7.2; invalidate all active ClientPasswordReset tokens; review access logs for suspicious account modifications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-53646 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy