Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network attacker reaches admin API with no user interaction; scope changes as cron admin identity is assumed, yielding full C/I/A impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged /api/system/* endpoints. Because system resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to /api/system/* at reverse proxy/WAF, restrict API access by trusted source IPs only (api.allowed_ips), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious /api/system/ access and treat as potential incident.
AnalysisAI
Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privileged /api/system/* admin API methods because the system role resolves to the cron admin identity without requiring credentials, session, or CSRF token. The flaw, rated CVSS 4.0 10.0 with full vulnerable- and subsequent-system impact, is patched in 0.8.0; publicly available exploit code exists per VulnCheck's writeup chaining this bypass to SSTI for remote code execution.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of FOSSBilling 0.5.4 through 0.7.x, requiring only network reachability to the `/api/system/*` API path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All signals point to top-tier priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the internet sends a direct HTTP request to `https://victim-billing.example.com/api/system/<method>` with no authentication, session cookie, or CSRF token. The role resolver maps the call to the cron admin identity, granting full administrative API access; per VulnCheck's public writeup, this is then chained with a server-side template injection sink to achieve remote code execution as the web user. … |
| Remediation | Vendor-released patch: upgrade FOSSBilling to version 0.8.0 or later, per advisories GHSA-78x5-c8gw-8279 and GHSA-57mv-jm88-66jc. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all FOSSBilling deployments and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Fossbilling
View allServer-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb
Cross-tenant data exposure in FOSSBilling 0.7.2 and earlier lets authenticated client users retrieve transaction and ord
Insecure direct object reference (IDOR) in FOSSBilling's Servicecustom Client API (versions 0.7.2 and prior) lets any au
Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the el
Insecure Direct Object Reference in FOSSBilling's support ticket creation workflow allows authenticated clients on versi
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38451