Skip to main content

FOSSBilling EUVDEUVD-2026-41947

| CVE-2026-42331 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-07-06 GitHub_M
7.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

Network-reachable unauthenticated endpoint (AV:N/PR:N) but requires knowledge of a secret invoice hash and enabled hash access, so AC:H; only limited integrity impact to one unpaid invoice's gateway (I:L), no confidentiality or availability effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 22:02 EUVD
Analysis Generated
Jul 06, 2026 - 21:56 vuln.today

DescriptionCVE.org

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-related endpoints, allowing an unauthenticated user with knowledge of an invoice hash to modify the payment gateway associated with an unpaid invoice. An attacker who obtains an invoice hash, which may leak through shared URLs, referrer headers, or email links, can change the gateway_id on an unpaid invoice to any payment gateway configured in the system. This does not allow redirecting payments to an arbitrary external endpoint, as the gateway must already be installed and configured by an administrator. The practical impact is further limited by the invoice_accessible_from_hash system setting. Version 0.8.0 contains a patch. No known workarounds are available.

AnalysisAI

Broken access control in FOSSBilling before 0.8.0 lets an unauthenticated attacker who knows an unpaid invoice's hash change the payment gateway (gateway_id) tied to that invoice, because the Guest API invoice/update endpoint omits an authorization check that its sibling invoice endpoints enforce. The attacker can only select gateways an administrator has already installed and configured, and the impact is further gated by the invoice_accessible_from_hash setting, so it cannot redirect funds to an arbitrary external endpoint. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain leaked invoice hash
Delivery
Call Guest API invoice/update endpoint
Exploit
Bypass missing authorization check
Execution
Set gateway_id to another configured gateway
Impact
Alter unpaid invoice payment flow

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker possess a valid hash for an unpaid invoice - obtained through leaked shared URLs, HTTP Referer headers, or email links - and that hash-based invoice access is permitted by the invoice_accessible_from_hash system setting; the target gateway must already be installed and configured by an administrator, since arbitrary external gateways cannot be introduced. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VC:N/VI:L/VA:N, SI:H) scores 7.7 and reflects a network-reachable, low-complexity, unauthenticated write to integrity with no confidentiality or availability impact - consistent with the description of tampering with an unpaid invoice's gateway rather than data theft or service disruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker harvests an unpaid invoice hash leaked in a Referer header, a shared payment URL, or a forwarded email link, then sends a crafted request to the unauthenticated Guest API invoice/update endpoint setting gateway_id to a different admin-configured gateway. The victim invoice's payment method is silently changed, disrupting the merchant's expected payment flow or reconciliation. …
Remediation Upgrade to FOSSBilling 0.8.0, which adds the missing authorization check on the Guest API invoice/update endpoint; the vendor states no workarounds are available (Vendor-released patch: 0.8.0, per GHSA-8755-w77f-3g7j at https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-8755-w77f-3g7j). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all FOSSBilling deployments and identify installations running versions below 0.8.0; audit recent invoice modification logs and payment gateway configuration changes for unauthorized alterations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-3490 CRITICAL POC
9.8 Jun 30

SQL Injection in GitHub repository fossbilling/fossbilling prior to 0.5.3. Rated critical severity (CVSS 9.8), this vuln

CVE-2026-28496 CRITICAL POC
9.4 Jun 23

Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb

CVE-2023-3491 HIGH POC
8.8 Jun 30

Unrestricted Upload of File with Dangerous Type in GitHub repository fossbilling/fossbilling prior to 0.5.3. Rated high

CVE-2023-3230 HIGH POC
7.5 Jun 14

Missing Authorization in GitHub repository fossbilling/fossbilling prior to 0.5.0. Rated high severity (CVSS 7.5), this

CVE-2023-3393 HIGH POC
7.2 Jun 23

Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1. Rated high severity (CVSS 7.2), this vulnera

CVE-2023-3229 MEDIUM POC
6.5 Jun 14

Business Logic Errors in GitHub repository fossbilling/fossbilling prior to 0.5.0. Rated medium severity (CVSS 6.5), thi

CVE-2023-3521 MEDIUM POC
6.1 Jul 06

Cross-site Scripting (XSS) - Reflected in GitHub repository fossbilling/fossbilling prior to 0.5.4. Rated medium severit

CVE-2026-27604 CRITICAL
10.0 Jun 23

Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privi

CVE-2023-4005 CRITICAL
9.8 Jul 31

Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5. Rated critical severity (CV

CVE-2023-3228 MEDIUM POC
5.7 Jun 14

Business Logic Errors in GitHub repository fossbilling/fossbilling prior to 0.5.0. Rated medium severity (CVSS 5.7), thi

CVE-2023-3227 MEDIUM POC
5.7 Jun 14

Insufficient Granularity of Access Control in GitHub repository fossbilling/fossbilling prior to 0.5.0. Rated medium sev

CVE-2023-3394 MEDIUM POC
5.4 Jun 23

Session Fixation in GitHub repository fossbilling/fossbilling prior to 0.5.1. Rated medium severity (CVSS 5.4), this vul

Share

EUVD-2026-41947 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy