Description
FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident.
Published: 2026-06-23
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FOSSBilling’s API role validation flaw, present from version 0.5.4 up to, but not including, 0.8.0, allows unauthenticated requests to reach the privileged /api/system/* endpoints. The system role maps to a cron‑level admin identity, so any caller can invoke administrative API methods without providing credentials, session cookies, or a CSRF token. This missing authentication (CWE‑306) and missing authorization (CWE‑862/863) weaknesses give attackers full control over the billing system, enabling changes to configuration, creation or deletion of client accounts, and potential data exfiltration. The flaw also permits exposure of sensitive configuration data via the API, relevant to CWE‑200.

Affected Systems

The vulnerability affects the open‑source billing and client management platform FOSSBilling in all releases starting at 0.5.4 and prior to 0.8.0. The affected product is referred to as FOSSBilling. Version 0.8.0 contains the patch that resolves the role validation issue.

Risk and Exploitability

The CVSS score of 10 classifies the flaw as critical, and the EPSS score is unavailable, indicating no published data on exploitation prevalence. The flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is through unauthenticated HTTP requests to the exposed /api/system/* endpoints; an attacker requires only open network connectivity to the target’s API interface. No credentials, session, or CSRF proof are necessary to exploit this authorization bypass.

Generated by OpenCVE AI on June 24, 2026 at 11:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FOSSBilling to version 0.8.0 or later to apply the official fix that corrects the role validation.
  • Block or restrict access to /api/system/* endpoints via a reverse proxy, firewall, or WAF, forcing authentication for those routes.
  • Configure the api.allowed_ips setting to allow API calls only from trusted IP addresses.
  • Rotate all existing admin and client API tokens immediately, as tokens could otherwise be abused before the patch.
  • Invalidate all active sessions, reset high‑privilege credentials, and investigate any suspicious /api/system/* activity as a potential security incident.

Generated by OpenCVE AI on June 24, 2026 at 11:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Fossbilling
Fossbilling fossbilling
Vendors & Products Fossbilling
Fossbilling fossbilling

Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident.
Title FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions
Weaknesses CWE-200
CWE-306
CWE-862
CWE-863
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


Subscriptions

Fossbilling Fossbilling
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T15:11:21.675Z

Reserved: 2026-02-20T19:43:14.602Z

Link: CVE-2026-27604

cve-icon Vulnrichment

Updated: 2026-06-23T15:11:07.845Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:00:05Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-306

    Missing Authentication for Critical Function

  • CWE-862

    Missing Authorization

  • CWE-863

    Incorrect Authorization