CVE-2026-33543 | FOSSBilling is a free, open-source billing and client manage… | CVSS 9.3 CRITICAL

Description

FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.

Metadata

CVE ID: CVE-2026-33543
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-03-20 18:05 UTC
Published: 2026-06-24 21:01 UTC
Last updated: 2026-06-24 21:01 UTC
Primary CWE: CWE-288
CWE-288: Authentication Bypass Using an Alternate Path or Ch…
Vendor / Product: FOSSBilling / FOSSBilling
Sources: cve.org · NVD

Severity & Metrics

9.3 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
FOSSBilling	FOSSBilling	—	< 0.8.0

Weakness (CWE)

CWE	Source	Description
CWE-288	cna	CWE-288: Authentication Bypass Using an Alternate Path or Channel
CWE-306	cna	CWE-306: Missing Authentication for Critical Function

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)

https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-28mh-j262-q49w https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-28mh-j262-q49w
https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0 https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0