Description
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-related endpoints, allowing an unauthenticated user with knowledge of an invoice hash to modify the payment gateway associated with an unpaid invoice. An attacker who obtains an invoice hash, which may leak through shared URLs, referrer headers, or email links, can change the `gateway_id` on an unpaid invoice to any payment gateway configured in the system. This does not allow redirecting payments to an arbitrary external endpoint, as the gateway must already be installed and configured by an administrator. The practical impact is further limited by the `invoice_accessible_from_hash` system setting. Version 0.8.0 contains a patch. No known workarounds are available.
Published: 2026-07-06
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FOSSBilling, an open‑source billing system, contains a missing authorization check in the guest invoice/update API. The flaw lets an unauthenticated user who possesses an invoice hash alter the gateway_id field of any unpaid invoice. The user cannot redirect funds to an arbitrary external URL because the gateway must already be installed by an administrator, but the attacker can switch the invoice to a different configured gateway, potentially diverting payment processing or enabling a pre‑approved gateway to process the invoice without consent.

Affected Systems

All versions of FOSSBilling prior to 0.8.0 are affected by this vulnerability. The problematic endpoint is the Guest API invoice/update route that responds to requests containing an invoice hash. Administrators should verify which released versions remain in use. The vendor’s release notes state that 0.8.0 includes the missing authorization check and fixes the issue.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity. Although no EPSS value is published, the exploit requires only an invoice hash, which can leak through shared URLs, referrer headers, or email links. The likely attack vector is an HTTP API call to the guest endpoint, inferred from the description. The vulnerability is not listed in the CISA KEV catalog. While the lack of an external redirection capability limits the damage, the ability to alter payment gateways can still result in financial loss or billing errors. Consequently, the risk remains significant, especially in environments that enable the invoice_accessible_from_hash setting or grant broad permissions for gateway configuration.

Generated by OpenCVE AI on July 7, 2026 at 05:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FOSSBilling to version 0.8.0 or later.
  • Disable or restrict the invoice_accessible_from_hash setting if it is not required.
  • Restrict gateway configuration privileges to trusted administrators and audit gateway usage regularly.

Generated by OpenCVE AI on July 7, 2026 at 05:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Fossbilling
Fossbilling fossbilling
Vendors & Products Fossbilling
Fossbilling fossbilling

Mon, 06 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Title FOSSBilling has incorrect authorization in invoice Guest API endpoints FOSSBilling missing authorization in guest Invoice API endpoints

Mon, 06 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-related endpoints, allowing an unauthenticated user with knowledge of an invoice hash to modify the payment gateway associated with an unpaid invoice. An attacker who obtains an invoice hash, which may leak through shared URLs, referrer headers, or email links, can change the `gateway_id` on an unpaid invoice to any payment gateway configured in the system. This does not allow redirecting payments to an arbitrary external endpoint, as the gateway must already be installed and configured by an administrator. The practical impact is further limited by the `invoice_accessible_from_hash` system setting. Version 0.8.0 contains a patch. No known workarounds are available.
Title FOSSBilling has incorrect authorization in invoice Guest API endpoints
Weaknesses CWE-306
CWE-863
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N'}


Subscriptions

Fossbilling Fossbilling
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-06T21:10:36.263Z

Reserved: 2026-04-26T13:26:14.513Z

Link: CVE-2026-42331

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T05:30:04Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-863

    Incorrect Authorization