Unauthenticated Payment Bypass in FOSSBilling by FOSSBilling
CVE-2026-42341

9.2CRITICAL

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-42341?

FOSSBilling, a widely-used open-source billing and client management system, is vulnerable to a serious issue in its IPN callback endpoint that allows attackers to unlawfully mark unpaid invoices as paid. This occurs when the Custom payment adapter is enabled, enabling unauthorized users to exploit the system by sending a specifically crafted HTTP request. As a result, clients' accounts could receive credits without any actual payment being made. Users are urged to upgrade to FOSSBilling version 0.8.0, which addresses this vulnerability. For additional layers of security, temporarily disable the Custom payment gateway if unnecessary, and restrict access to the '/ipn.php' endpoint at the web server level to mitigate risks, though this might affect legitimate payment processing.

Affected Version(s)

FOSSBilling >= 0.6.0, < 0.8.0

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.