Authorization Flaw in FOSSBilling Enables Invoice Manipulation
CVE-2026-42331

7.7HIGH

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-42331?

FOSSBilling, an open-source billing and client management system, contains a vulnerability in the Guest API that permits an unauthenticated user to alter the payment gateway associated with an unpaid invoice. This flaw arises due to the absence of an authorization check on the invoice/update endpoint, unlike other invoice-related endpoints. An attacker with access to a valid invoice hash, which can be inadvertently disclosed through shared URLs, referrer headers, or email links, can modify the 'gateway_id' of an unpaid invoice to utilize any pre-configured payment gateway. While this does not enable redirecting payments to arbitrary external endpoints, as the gateway must be previously established by an administrator, the vulnerability poses a risk of unauthorized financial modifications. The vulnerability is addressed in version 0.8.0, and no known mitigations exist for earlier versions.

Affected Version(s)

FOSSBilling < 0.8.0

References

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.