Unauthenticated Mass Assignment Vulnerability in FOSSBilling by FOSSBilling
CVE-2026-43925

6.9MEDIUM

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-43925?

FOSSBilling, a free and open-source billing and client management system, is affected by a mass assignment vulnerability in the client self-registration endpoint. This flaw permits unauthenticated individuals to assign themselves to arbitrary client groups during the registration process. Such unauthorized group assignments allow potential attackers to exploit promo code eligibility tied to specific client groups, leading to the possibility of receiving discounts unlawfully. FOSSBilling version 0.8.0 has addressed this issue with a patch. Administrators can mitigate the risks by removing group restrictions from promo codes or disabling the self-registration feature.

Affected Version(s)

FOSSBilling < 0.8.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.