Skip to main content

FOSSBilling EUVDEUVD-2026-38451

| CVE-2026-27604 CRITICAL
Information Exposure (CWE-200)
2026-06-23 GitHub_M
10.0
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
10.0 CRITICAL

Unauthenticated network attacker reaches admin API with no user interaction; scope changes as cron admin identity is assumed, yielding full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 23, 2026 - 16:01 EUVD
Analysis Generated
Jun 23, 2026 - 15:05 vuln.today

DescriptionCVE.org

FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged /api/system/* endpoints. Because system resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to /api/system/* at reverse proxy/WAF, restrict API access by trusted source IPs only (api.allowed_ips), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious /api/system/ access and treat as potential incident.

AnalysisAI

Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privileged /api/system/* admin API methods because the system role resolves to the cron admin identity without requiring credentials, session, or CSRF token. The flaw, rated CVSS 4.0 10.0 with full vulnerable- and subsequent-system impact, is patched in 0.8.0; publicly available exploit code exists per VulnCheck's writeup chaining this bypass to SSTI for remote code execution.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify exposed FOSSBilling instance
Delivery
Send unauthenticated request to /api/system/*
Exploit
Bypass role check as cron admin
Install
Invoke privileged admin API method
C2
Chain to SSTI template injection
Execute
Execute arbitrary code as web user
Impact
Pivot to billing data and credentials

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of FOSSBilling 0.5.4 through 0.7.x, requiring only network reachability to the `/api/system/*` API path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to top-tier priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the internet sends a direct HTTP request to `https://victim-billing.example.com/api/system/<method>` with no authentication, session cookie, or CSRF token. The role resolver maps the call to the cron admin identity, granting full administrative API access; per VulnCheck's public writeup, this is then chained with a server-side template injection sink to achieve remote code execution as the web user. …
Remediation Vendor-released patch: upgrade FOSSBilling to version 0.8.0 or later, per advisories GHSA-78x5-c8gw-8279 and GHSA-57mv-jm88-66jc. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all FOSSBilling deployments and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy