Description
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, which allowed unauthenticated remote users to trigger update patch routines that modify configuration files, execute database schema changes, perform filesystem mutations, and clear caches. The /run-patcher endpoint executes privileged maintenance operations - configuration migrations, database patch execution (including ALTER TABLE, DROP TABLE, UPDATE statements), filesystem deletions and renames, and cache clearing - without requiring administrator authentication, CSRF validation, or CLI context. An unauthenticated remote attacker can trigger these operations by sending a simple HTTP GET request to /run-patcher, which can be abused for denial-of-service attacks. Certain patches (e.g., batch token regeneration for all admin and client accounts in patch 53, and session invalidation) are disruptive even when re-executed against an already-patched instance. Repeated or concurrent requests may also cause inconsistent database state. This issue has been fixed in version 0.8.0.
Published: 2026-06-25
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FOSSBilling versions 0.5.4 through 0.7.2 expose a /run-patcher maintenance endpoint that can be accessed without authentication or CSRF protection. An attacker can send a simple HTTP GET request to trigger privileged update procedures, resulting in configuration file changes, database schema modifications (including ALTER TABLE, DROP TABLE, UPDATE commands), filesystem deletions or renames, and cache clearing. These actions can disrupt service availability, compromise database consistency, and erase or alter critical configuration data. The vulnerability represents a moderate-impact flaw that allows unauthenticated users to perform arbitrarily destructive changes.

Affected Systems

The affected product is FOSSBilling, a free, open-source billing and client management system. Vulnerable versions range from 0.5.4 up to and including 0.7.2. The issue was fixed in release 0.8.0.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. While the EPSS score is not provided, the lack of authentication and the direct exposure of a privileged endpoint make exploitation highly likely if the system is reachable from the internet. The vulnerability is not listed in the CISA KEV catalog, but the potential for widespread damage and lack of safeguards warrant prompt attention. Attackers can simply make an unauthenticated request over HTTP, so the attack vector is remote network access.

Generated by OpenCVE AI on June 26, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FOSSBilling to version 0.8.0 or later, which removes therun-patcher endpoint
  • Block access to the /run-patcher endpoint via web‑server firewall or ACL rules to prevent unauthenticated requests
  • Configure the application or server to deny access to /run-patcher if an explicit disable or route restriction is available

Generated by OpenCVE AI on June 26, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, which allowed unauthenticated remote users to trigger update patch routines that modify configuration files, execute database schema changes, perform filesystem mutations, and clear caches. The /run-patcher endpoint executes privileged maintenance operations - configuration migrations, database patch execution (including ALTER TABLE, DROP TABLE, UPDATE statements), filesystem deletions and renames, and cache clearing - without requiring administrator authentication, CSRF validation, or CLI context. An unauthenticated remote attacker can trigger these operations by sending a simple HTTP GET request to /run-patcher, which can be abused for denial-of-service attacks. Certain patches (e.g., batch token regeneration for all admin and client accounts in patch 53, and session invalidation) are disruptive even when re-executed against an already-patched instance. Repeated or concurrent requests may also cause inconsistent database state. This issue has been fixed in version 0.8.0.
Title FOSSBilling: Unauthenticated update patcher endpoint allows remote maintenance execution
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T23:06:43.546Z

Reserved: 2026-05-04T16:11:33.086Z

Link: CVE-2026-43920

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:30:17Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function