Back to overview

CVE-2026-53644

HIGH
8.6
CVSS 4.0
Description
FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an `active` state (e.g., `suspended`, `canceled`). The root cause is missing order-state validation in two client API endpoints, despite an `isActive()` helper already existing in the `Serviceapikey` module and the frontend UI correctly gating access on `order.status == 'active'`. Version 0.8.0 contains a fix. Some workarounds are available. If the `Serviceapikey` module is not needed, uninstall it to remove the affected endpoints. One may also use a reverse proxy or WAF to restrict access to `/api/client/order/service` and `/api/client/serviceapikey/reset` based on application-level order-state logic.

Metadata

CVE ID
CVE-2026-53644
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-09 20:16 UTC
Published
2026-07-06 22:51 UTC
Last updated
2026-07-06 22:51 UTC
Primary CWE
CWE-639
CWE-639: Authorization Bypass Through User-Controlled Key
Vendor / Product
FOSSBilling / FOSSBilling
Sources
cve.org  ·  NVD

Severity & Metrics

8.6 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
FOSSBilling FOSSBilling >= 0.5.3, < 0.8.0
Weakness (CWE)
CWESourceDescription
CWE-639 cna CWE-639: Authorization Bypass Through User-Controlled Key
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.6 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References (1)
Back to overview