CVE-2026-27708 | FOSSBilling is a free, open-source billing and client manage… | CVSS 7.1 HIGH

Description

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach — attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0.

Metadata

CVE ID: CVE-2026-27708
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-02-23 17:56 UTC
Published: 2026-06-24 19:24 UTC
Last updated: 2026-06-24 19:24 UTC
Primary CWE: CWE-284
CWE-284: Improper Access Control
Vendor / Product: FOSSBilling / FOSSBilling
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
FOSSBilling	FOSSBilling	—	< 0.8.0

Weakness (CWE)

CWE	Source	Description
CWE-284	cna	CWE-284: Improper Access Control
CWE-639	cna	CWE-639: Authorization Bypass Through User-Controlled Key
CWE-862	cna	CWE-862: Missing Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.1	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References (2)

https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-p36w-9x66-488j https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-p36w-9x66-488j
https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0 https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0