The vulnerability is a broken authorization flaw that permits authenticated clients to retrieve data belonging to other tenants in the FOSSBilling system. Ungrouped OR clauses are appended to client list queries, overriding the intended client_id constraint and allowing arbitrary selection of records. Attackers can craft requests that return identifiers, amounts, status, timestamps, and other sensitive billing fields from other clients, resulting in a breach of confidentiality for client data. No code execution or privilege escalation is possible; the impact is limited to unauthorized data disclosure.

The vulnerability affects the open‑source billing platform FOSSBilling in all releases up to and including 0.7.2. Versions 0.8.0 and newer incorporate a fix that enforces correct tenant scoping and removes the ungrouped OR filters.

The issue is a broken authorization flaw (CWE‑863) that allows any authenticated user to retrieve data belonging to other tenants. The query constructor in ServiceTransaction::getSearchQuery() and Order\Service::getSearchQuery() incorrectly appends ungrouped OR clauses, causing SQL operator precedence to override the client_id filter. As a result, attackers can fetch identifiers, amounts, status, timestamps, and related fields from other clients. The vulnerability requires only authentication; no special permissions are needed. Currently no public exploits are known and the EPSS score is unavailable. The CVSS score of 7.1 indicates a medium‑to‑high severity for confidentiality compromise. It is not listed in the CISA KEV catalog, suggesting limited exploitation, but the potential impact warrants immediate patching.