Description
FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.
Published: 2026-06-24
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FOSSBilling versions 0.7.2 and earlier expose a public API endpoint, /api/guest/staff/create, designed for the initial administrator bootstrap. A flaw in the admin‑existence check—using is_countable() on an object instead of a numeric count—causes the condition to always evaluate as true. As a result, an unauthenticated user can invoke the endpoint to create a new administrator account and immediately authenticate, leading to full administrative control over the billing system. This represents an authentication bypass vulnerability (CWE‑288 and CWE‑306).

Affected Systems

The affected vendor is FOSSBilling, product FOSSBilling. Endpoints are vulnerable in versions prior to 0.8.0, specifically 0.7.2 and earlier. The fix was released in the 0.8.0 release.

Risk and Exploitability

The flaw carries a CVSS score of 9.3, indicating critical severity. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. An attacker only needs network access to the public API endpoint; no prior credentials are required, and the attack can be performed remotely via HTTP or HTTPS. Successful exploitation provides complete administrative privileges with no additional effort.

Generated by OpenCVE AI on June 25, 2026 at 00:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FOSSBilling to version 0.8.0 to apply the vendor fix
  • Block or remove the /api/guest/staff/create endpoint from the deployed API until the upgrade is completed
  • Restrict access to the API endpoint to trusted IPs or apply firewall rules as a temporary mitigation

Generated by OpenCVE AI on June 25, 2026 at 00:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Fossbilling
Fossbilling fossbilling
Vendors & Products Fossbilling
Fossbilling fossbilling

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.
Title FOSSBilling: Authentication bypass allows unauthenticated administrator creation
Weaknesses CWE-288
CWE-306
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Fossbilling Fossbilling
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T13:22:14.263Z

Reserved: 2026-03-20T18:05:11.832Z

Link: CVE-2026-33543

cve-icon Vulnrichment

Updated: 2026-06-25T13:22:10.759Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T06:30:16Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel

  • CWE-306

    Missing Authentication for Critical Function