Skip to main content

FOSSBilling CVE-2026-53647

MEDIUM
Information Exposure (CWE-200)
2026-07-07 security-advisories@github.com
6.9
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

A valid API key is required to retrieve record data, warranting PR:L over the vendor's PR:N; confidentiality impact is limited to custom_ fields only, with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 00:27 vuln.today

DescriptionCVE.org

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest serviceapikey/get_info API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters (custom_* fields) stored in the key's database record. These custom fields are populated by billing administrators and can contain business-sensitive data such as pricing tiers, feature flags, rate limits, expiry overrides, or access scope data. Version 0.8.0 patches the issue. Some workarounds are available. Administrators can avoid storing sensitive data in custom_* API key configuration fields, monitor API logs for suspicious calls to /api/guest/serviceapikey/get_info, and/or disable the Serviceapikey module if not in active use.

AnalysisAI

Unauthenticated information disclosure in FOSSBilling 0.5.3-0.7.2 exposes administrator-defined custom API key configuration fields (custom_*) to any caller possessing a valid API key via the guest-tier serviceapikey/get_info endpoint. The affected fields may contain business-sensitive operational data including pricing tiers, feature flags, rate limits, expiry overrides, and access scope data as populated by billing administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid API key as legitimate customer
Delivery
Send unauthenticated GET to /api/guest/serviceapikey/get_info
Exploit
Receive full key database record
Execution
Extract sensitive custom_* configuration fields
Impact
Leverage business logic data for fraud or privilege abuse

Vulnerability AssessmentAI

Exploitation The Serviceapikey module must be active in the FOSSBilling installation (it is a discrete, disableable module). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L) correctly captures the network-accessible, zero-complexity nature of the attack with limited confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has legitimately obtained a FOSSBilling API key (e.g., as a customer of the billing platform) sends a simple unauthenticated HTTP GET request to `/api/guest/serviceapikey/get_info` with their key as a parameter. The endpoint returns the full database record for that key, including all `custom_*` fields set by the billing administrator, potentially revealing pricing tiers, access scope overrides, or rate limit exceptions not intended for the key holder. …
Remediation Upgrade to FOSSBilling 0.8.0, which patches this issue per the vendor advisory at https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-737q-9gpr-6mpq. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53647 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy