Sensitive Data Exposure in FOSSBilling by Low-Privileged Staff Accounts
CVE-2026-53640
2.3LOW
What is CVE-2026-53640?
FOSSBilling, an open-source billing and client management system, has a vulnerability allowing low-privileged staff accounts to access sensitive information via exposed admin API endpoints lacking proper authorization checks. While write operations enforce the necessary permissions, the read operations do not, making sensitive data vulnerable to unauthorized access. An update to version 0.8.0 addresses this issue, and users are encouraged to implement workarounds such as limiting staff access to essential data and using measures like reverse proxies or Web Application Firewalls (WAF) to safeguard the affected endpoints.
Affected Version(s)
FOSSBilling < 0.8.0
