Unauthorized Access Risk in FOSSBilling by FOSSBilling Team
CVE-2026-53643
8.7HIGH
What is CVE-2026-53643?
FOSSBilling is affected by a vulnerability that enables low-privileged staff accounts to execute unauthorized actions through admin API endpoints. This security flaw arises from the can_always_access module flag, which inadvertently allows unrestricted access to certain modules for all staff, combined with inadequate permission checks and poor parameter handling on individual endpoints. The issue has been addressed in version 0.8.0 of FOSSBilling, which users are recommended to upgrade to. As a precaution, limiting staff account access to only essential roles and implementing a reverse proxy or web application firewall to secure endpoints can significantly mitigate risk.
Affected Version(s)
FOSSBilling < 0.8.0
