CVE-2026-27708 - Vulnerability Details

Description

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach — attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0.

Published: 2026-06-24

Score: 7.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Servicecustom Client API’s __call method allows an authenticated client to retrieve another client’s custom service data by supplying an order_id that is not validated for ownership. This IDOR vulnerability exposes personally identifying information—such as name, email, phone, address, company details, and VAT number—of other clients. No code execution or denial‑of‑service capability is described in the advisory, so the primary consequence is confidential data disclosure.

Affected Systems

The vulnerability applies to FOSSBilling, the free, open‑source billing and client management system. Versions 0.7.2 and earlier contain the flaw; the issue is fixed in release 0.8.0. Any install that has not been upgraded beyond 0.7.2 is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high risk to confidentiality. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to require only an authenticated client session; by guessing or enumerating sequential order IDs, an attacker can access data belonging to other clients. Because the flaw does not rely on special privileges or network exposure, exploitation is dependent on the ability to predict order numbers and on user session persistence.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FOSSBilling

affected

Version	Status	Constraints
`< 0.8.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade FOSSBilling to version 0.8.0 or later to apply the vendor fix that enforces order ownership checks.
If you cannot upgrade immediately, add an explicit ownership validation in the Servicecustom API so that only the client who owns the order ID can retrieve its data.
Review authentication logs for anomalous order_id requests and consider rate‑limiting or blocking repeated access patterns to mitigate unauthorized enumeration attempts.

Generated by OpenCVE AI on June 24, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0
https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-p36w-9x66-488j

History

Wed, 24 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach — attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0.
Title		FOSSBilling: IDOR in Servicecustom Client API allows cross-client data access
Weaknesses		CWE-284 CWE-639 CWE-862
References		https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0 https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-p36w-9x66-488j
Metrics		cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-24T19:24:50.417Z

Updated: 2026-06-24T19:24:50.417Z

Reserved: 2026-02-23T17:56:51.203Z

Link: CVE-2026-27708

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T21:45:15Z

Weaknesses

CWE-284
Improper Access Control
CWE-639
Authorization Bypass Through User-Controlled Key
CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object