Unauthenticated Mass Assignment Vulnerability in FOSSBilling by FOSSBilling
CVE-2026-43925
6.9MEDIUM
What is CVE-2026-43925?
FOSSBilling, a free and open-source billing and client management system, is affected by a mass assignment vulnerability in the client self-registration endpoint. This flaw permits unauthenticated individuals to assign themselves to arbitrary client groups during the registration process. Such unauthorized group assignments allow potential attackers to exploit promo code eligibility tied to specific client groups, leading to the possibility of receiving discounts unlawfully. FOSSBilling version 0.8.0 has addressed this issue with a patch. Administrators can mitigate the risks by removing group restrictions from promo codes or disabling the self-registration feature.
Affected Version(s)
FOSSBilling < 0.8.0
