Back to overview

CVE-2026-53647

MEDIUM
6.9
CVSS 4.0
Description
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest `serviceapikey/get_info` API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters (`custom_*` fields) stored in the key's database record. These custom fields are populated by billing administrators and can contain business-sensitive data such as pricing tiers, feature flags, rate limits, expiry overrides, or access scope data. Version 0.8.0 patches the issue. Some workarounds are available. Administrators can avoid storing sensitive data in `custom_*` API key configuration fields, monitor API logs for suspicious calls to `/api/guest/serviceapikey/get_info`, and/or disable the Serviceapikey module if not in active use.

Metadata

CVE ID
CVE-2026-53647
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-09 20:50 UTC
Published
2026-07-06 23:10 UTC
Last updated
2026-07-06 23:10 UTC
Primary CWE
CWE-200
CWE-200: Exposure of Sensitive Information to an Unauthorize…
Vendor / Product
FOSSBilling / FOSSBilling
Sources
cve.org  ·  NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
FOSSBilling FOSSBilling >= 0.5.3, < 0.8.0
Weakness (CWE)
CWESourceDescription
CWE-200 cna CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-306 cna CWE-306: Missing Authentication for Critical Function
CWE-862 cna CWE-862: Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.9 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References (1)
Back to overview