Authorization Bypass in FOSSBilling Affects Client Management Systems
CVE-2026-27604

10CRITICAL

Key Information:

Vendor: Fossbilling
Status: Fossbilling
Vendor: CVE Published:; 23 June 2026

🔔 Create Fossbilling Vulnerability Alert

What is CVE-2026-27604?

FOSSBilling, an open-source billing and client management system, has an authorization bypass vulnerability affecting versions 0.5.4 to prior to 0.8.0. This flaw permits unauthenticated access to sensitive API endpoints under /api/system/*, compromising the security integrity of the admin API methods. Attackers can exploit this weakness without needing valid credentials, sessions, or CSRF tokens. FOSSBilling has released version 0.8.0 to address this issue. To mitigate potential attacks, it is recommended to restrict access through a reverse proxy/WAF, limit API access by whitelisting trusted IP addresses, rotate tokens, invalidate active sessions, and review API logs for any suspicious activity.