Impact
FOSSBilling versions 0.7.2 and earlier expose a public API endpoint, /api/guest/staff/create, designed for the initial administrator bootstrap. A flaw in the admin‑existence check—using is_countable() on an object instead of a numeric count—causes the condition to always evaluate as true. As a result, an unauthenticated user can invoke the endpoint to create a new administrator account and immediately authenticate, leading to full administrative control over the billing system. This represents an authentication bypass vulnerability (CWE‑288 and CWE‑306).
Affected Systems
The affected vendor is FOSSBilling, product FOSSBilling. Endpoints are vulnerable in versions prior to 0.8.0, specifically 0.7.2 and earlier. The fix was released in the 0.8.0 release.
Risk and Exploitability
The flaw carries a CVSS score of 9.3, indicating critical severity. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. An attacker only needs network access to the public API endpoint; no prior credentials are required, and the attack can be performed remotely via HTTP or HTTPS. Successful exploitation provides complete administrative privileges with no additional effort.
OpenCVE Enrichment