CVE-2026-33543 - Vulnerability Details

Description

FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.

Published: 2026-06-24

Score: 9.3 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

FOSSBilling versions prior to 0.8.0 expose a guest API endpoint intended for initial administrator setup. Due to a logic flaw in the admin‑existence check, the endpoint remains usable even when an administrator account already exists. The flawed guard uses a countable check on a value that returns a user object or null, resulting in a condition that is always true. This allows an unauthenticated user to create a new administrator account, immediately obtaining full administrative privileges. The impact is a complete loss of confidentiality, integrity, and availability for the billing system.

Affected Systems

FOSSBilling, FOSSBilling v0.7.2 and earlier.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3 and is not listed in the CISA KEV catalog. Exploitation requires only access to the unauthenticated /api/guest/staff/create endpoint, which is typically reachable over HTTP/HTTPS. An attacker who can reach the endpoint can provide any desired credentials and will be logged in as a fully privileged administrator, without needing any existing credentials or additional privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FOSSBilling

affected

Version	Status	Constraints
`< 0.8.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade FOSSBilling to version 0.8.0 to apply the vendor fix
Disable or remove the /api/guest/staff/create endpoint from the deployed API before upgrading, ensuring that no unauthenticated user can access it
After the upgrade, review the system’s API access controls and firewall rules to confirm that no residual guest‑API routes remain exposed to the public

Generated by OpenCVE AI on June 24, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0
https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-28mh-j262-q49w

History

Wed, 24 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.
Title		FOSSBilling: Authentication bypass allows unauthenticated administrator creation
Weaknesses		CWE-288 CWE-306
References		https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0 https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-28mh-j262-q49w
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-24T21:01:16.544Z

Updated: 2026-06-24T21:01:16.544Z

Reserved: 2026-03-20T18:05:11.832Z

Link: CVE-2026-33543

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T23:15:03Z

Weaknesses

CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE-306
Missing Authentication for Critical Function

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object