Authorization Flaw in FOSSBilling Enables Invoice Manipulation
CVE-2026-42331
What is CVE-2026-42331?
FOSSBilling, an open-source billing and client management system, contains a vulnerability in the Guest API that permits an unauthenticated user to alter the payment gateway associated with an unpaid invoice. This flaw arises due to the absence of an authorization check on the invoice/update endpoint, unlike other invoice-related endpoints. An attacker with access to a valid invoice hash, which can be inadvertently disclosed through shared URLs, referrer headers, or email links, can modify the 'gateway_id' of an unpaid invoice to utilize any pre-configured payment gateway. While this does not enable redirecting payments to arbitrary external endpoints, as the gateway must be previously established by an administrator, the vulnerability poses a risk of unauthorized financial modifications. The vulnerability is addressed in version 0.8.0, and no known mitigations exist for earlier versions.
Affected Version(s)
FOSSBilling < 0.8.0
