FOSSBilling CVE-2026-53647
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
A valid API key is required to retrieve record data, warranting PR:L over the vendor's PR:N; confidentiality impact is limited to custom_ fields only, with no integrity or availability impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest serviceapikey/get_info API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters (custom_* fields) stored in the key's database record. These custom fields are populated by billing administrators and can contain business-sensitive data such as pricing tiers, feature flags, rate limits, expiry overrides, or access scope data. Version 0.8.0 patches the issue. Some workarounds are available. Administrators can avoid storing sensitive data in custom_* API key configuration fields, monitor API logs for suspicious calls to /api/guest/serviceapikey/get_info, and/or disable the Serviceapikey module if not in active use.
AnalysisAI
Unauthenticated information disclosure in FOSSBilling 0.5.3-0.7.2 exposes administrator-defined custom API key configuration fields (custom_*) to any caller possessing a valid API key via the guest-tier serviceapikey/get_info endpoint. The affected fields may contain business-sensitive operational data including pricing tiers, feature flags, rate limits, expiry overrides, and access scope data as populated by billing administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Serviceapikey module must be active in the FOSSBilling installation (it is a discrete, disableable module). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L) correctly captures the network-accessible, zero-complexity nature of the attack with limited confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has legitimately obtained a FOSSBilling API key (e.g., as a customer of the billing platform) sends a simple unauthenticated HTTP GET request to `/api/guest/serviceapikey/get_info` with their key as a parameter. The endpoint returns the full database record for that key, including all `custom_*` fields set by the billing administrator, potentially revealing pricing tiers, access scope overrides, or rate limit exceptions not intended for the key holder. … |
| Remediation | Upgrade to FOSSBilling 0.8.0, which patches this issue per the vendor advisory at https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-737q-9gpr-6mpq. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today