Skip to main content

FOSSBilling EUVDEUVD-2026-38613

| CVE-2026-23513 HIGH
Incorrect Authorization (CWE-863)
2026-06-23 GitHub_M
7.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable client endpoint (AV:N), no special timing (AC:L), requires a low-privileged client login (PR:L), no user interaction, confidentiality-only cross-tenant data leak so C:H and I/A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 20:50 vuln.today
Analysis Generated
Jun 23, 2026 - 20:50 vuln.today

DescriptionCVE.org

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In ServiceTransaction::getSearchQuery() and Order\Service::getSearchQuery(), OR-based search/action filters were appended without grouping, allowing SQL operator precedence to evaluate OR clauses independently of the enforced client_id constraint. Crafted requests could therefore return records and metadata belonging to other clients, including identifiers, amounts, status, timestamps, and related fields. This issue was fixed in version 0.8.0.

AnalysisAI

Cross-tenant data exposure in FOSSBilling 0.7.2 and earlier lets authenticated client users retrieve transaction and order records belonging to other clients by abusing SQL operator precedence in list-endpoint search queries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low complexity and low-privilege requirement make it a meaningful confidentiality risk for multi-tenant deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain client account on target FOSSBilling instance
Delivery
Authenticate to client area
Exploit
Send crafted search/action filter to transactions or orders endpoint
Execution
SQL OR precedence bypasses client_id scoping
Persist
Receive other clients' billing records
Impact
Harvest identifiers, amounts, and timestamps

Vulnerability AssessmentAI

Exploitation Requires an authenticated low-privileged client account on a network-reachable FOSSBilling 0.7.2-or-earlier instance with the standard client area exposed - matching CVSS PR:L, AV:N, AC:L, UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N (score 7.1) accurately models the threat: network-reachable, low-complexity, requires an authenticated low-privileged client account, no user interaction, and produces high confidentiality impact with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already controls a legitimate low-privileged client account on a FOSSBilling tenant. They send crafted GET/POST requests to the client-facing transactions or orders list endpoints with search or action filter parameters that satisfy the OR branch of the WHERE clause, causing the database to return rows where client_id does not match their own. …
Remediation Vendor-released patch: FOSSBilling 0.8.0 (released 2026-05-28) - upgrade per https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0 and the advisory at https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-xcrv-cccw-r65v. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all FOSSBilling instances, confirm versions, and assess scope (number of tenants, data classification). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38613 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy