FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, low-privileged staff accounts may read sensitive data via admin API endpoints that lack permission checks. While sibling write endpoints correctly enforce fine-grained permissions, the corresponding read endpoints have no authorization guards. Version 0.8.0 contains a fix. Some workarounds are available. Restrict staff accounts to only those who need access to sensitive data and/or use a reverse proxy or WAF to restrict access to the affected endpoints.
Metrics
Affected Vendors & Products
References
History
Tue, 07 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Fossbilling
Fossbilling fossbilling |
|
| Vendors & Products |
Fossbilling
Fossbilling fossbilling |
Mon, 06 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, low-privileged staff accounts may read sensitive data via admin API endpoints that lack permission checks. While sibling write endpoints correctly enforce fine-grained permissions, the corresponding read endpoints have no authorization guards. Version 0.8.0 contains a fix. Some workarounds are available. Restrict staff accounts to only those who need access to sensitive data and/or use a reverse proxy or WAF to restrict access to the affected endpoints. | |
| Title | FOSSBilling missing authorization checks on read-only admin API endpoints expose sensitive staff, client, and redirect data | |
| Weaknesses | CWE-200 CWE-862 |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-06T22:30:48.314Z
Reserved: 2026-06-09T20:16:59.648Z
Link: CVE-2026-53640
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-07T00:00:12Z