Back to overview

CVE-2026-42341

CRITICAL
9.2
CVSS 4.0
Description
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and credit the associated client account without making an actual payment, by sending a single crafted HTTP request. Version 0.8.0 patches the issue. Some workarounds are available. Disable the Custom payment gateway if not actively needed and/or restrict access to `/ipn.php` at the web server level (e.g., via IP allowlisting), noting that this may interfere with legitimate payment callback processing.

Metadata

CVE ID
CVE-2026-42341
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-04-26 13:26 UTC
Published
2026-07-06 20:53 UTC
Last updated
2026-07-06 20:54 UTC
Primary CWE
CWE-306
CWE-306: Missing Authentication for Critical Function
Vendor / Product
FOSSBilling / FOSSBilling
Sources
cve.org  ·  NVD

Severity & Metrics

9.2 CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
Affected products (1)
VendorProductPlatformVersions
FOSSBilling FOSSBilling >= 0.6.0, < 0.8.0
Weakness (CWE)
CWESourceDescription
CWE-306 cna CWE-306: Missing Authentication for Critical Function
CWE-346 cna CWE-346: Origin Validation Error
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.2 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
References (1)
Back to overview