Skip to main content

FOSSBilling EUVDEUVD-2026-34255

| CVE-2026-43926 MEDIUM
Observable Response Discrepancy (CWE-204)
2026-06-04 GitHub_M
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Source Code Evidence Fetched
Jun 04, 2026 - 16:22 vuln.today
Analysis Generated
Jun 04, 2026 - 16:22 vuln.today
Patch available
Jun 04, 2026 - 15:01 EUVD
CVSS changed
Jun 04, 2026 - 14:22 NVD
6.3 (MEDIUM)
CVE Published
Jun 04, 2026 - 12:46 nvd
MEDIUM 6.3
CVE Published
Jun 04, 2026 - 12:46 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/* routes. This allows an attacker to probe the endpoint for valid reset tokens without any per-IP request limiting, attempt counting, or lockout mechanism. The endpoint acts as an oracle, returning a distinguishable response for valid versus invalid tokens (HTTP 200 vs HTTP 302 redirect). An attacker can submit unlimited token guesses to the password reset confirmation endpoint with no throttling applied. However, practical exploitability is significantly mitigated by the current token generation, which uses hash('sha256', random_bytes(32)), providing 256 bits of entropy. Tokens also expire after 15 minutes and are deleted after successful use. The same architectural gap applies to other controller-served auth routes, including /staff/email/:hash (admin password reset confirmation) and /client/confirm-email/:hash (email confirmation). Version 0.8.0 fixes the issue. Some workarounds are available. Configure a reverse proxy (e.g., Nginx, Apache, Cloudflare) to apply per-IP rate limiting to the /client/reset-password-confirm/* and /staff/email/* paths and/or use a WAF rule to limit request rates to these endpoints.

AnalysisAI

Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the elevated-privilege admin reset at /staff/email/:hash - to unlimited brute-force guessing due to a rate limiter architecturally scoped exclusively to /api/* routes. The confirmation endpoint acts as a CWE-204 oracle, returning distinguishable HTTP responses (200 for valid tokens, 302 redirect for invalid), allowing an unauthenticated remote attacker to probe token validity without throttling, lockout, or attempt counting. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify valid target account email
Delivery
Trigger password reset to open 15-minute token window
Exploit
Submit unlimited hash guesses to unthrottled /client/reset-password-confirm/* or /staff/email/*
Execution
Distinguish valid token via HTTP 200 oracle response
Persist
Redeem valid token to authenticate as victim
Impact
Access client account or admin panel

Vulnerability AssessmentAI

Exploitation No authentication is required (CVSS PR:N) - all three affected endpoints are publicly accessible without a session. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 with vector AV:N/AC:H/AT:P/PR:N/UI:N accurately represents a nuanced risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker who knows or enumerates a valid target account email triggers a password reset, then immediately floods the `/client/reset-password-confirm/:hash` endpoint with sequentially or randomly guessed token values, observing HTTP 200 versus HTTP 302 responses to identify a valid token before its 15-minute expiry. No public exploit code has been identified. …
Remediation The primary fix is upgrading to FOSSBilling 0.8.0 (released 2026-05-28), which extends the rate limit system to cover controller-served authentication routes (PR #3461) alongside broader security hardening; the release is available at https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-34255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy