Back to overview

CVE-2026-27604

CRITICAL
10.0
CVSS 4.0
Description
FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident.

Metadata

CVE ID
CVE-2026-27604
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-02-20 19:43 UTC
Published
2026-06-23 14:25 UTC
Last updated
2026-06-23 15:11 UTC
Primary CWE
CWE-200
CWE-200: Exposure of Sensitive Information to an Unauthorize…
Vendor / Product
FOSSBilling / FOSSBilling
Sources
cve.org  ·  NVD

Severity & Metrics

10.0 CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
FOSSBilling FOSSBilling >= 0.5.4, < 0.8.0
Weakness (CWE)
CWESourceDescription
CWE-200 cna CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-306 cna CWE-306: Missing Authentication for Critical Function
CWE-862 cna CWE-862: Missing Authorization
CWE-863 cna CWE-863: Incorrect Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
10.0 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References (3)
Back to overview