Sensitive Data Exposure in FOSSBilling by Low-Privileged Staff Accounts
CVE-2026-53640

2.3LOW

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-53640?

FOSSBilling, an open-source billing and client management system, has a vulnerability allowing low-privileged staff accounts to access sensitive information via exposed admin API endpoints lacking proper authorization checks. While write operations enforce the necessary permissions, the read operations do not, making sensitive data vulnerable to unauthorized access. An update to version 0.8.0 addresses this issue, and users are encouraged to implement workarounds such as limiting staff access to essential data and using measures like reverse proxies or Web Application Firewalls (WAF) to safeguard the affected endpoints.

Affected Version(s)

FOSSBilling < 0.8.0

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.