Unauthorized Access Risk in FOSSBilling by FOSSBilling Team
CVE-2026-53643

8.7HIGH

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-53643?

FOSSBilling is affected by a vulnerability that enables low-privileged staff accounts to execute unauthorized actions through admin API endpoints. This security flaw arises from the can_always_access module flag, which inadvertently allows unrestricted access to certain modules for all staff, combined with inadequate permission checks and poor parameter handling on individual endpoints. The issue has been addressed in version 0.8.0 of FOSSBilling, which users are recommended to upgrade to. As a precaution, limiting staff account access to only essential roles and implementing a reverse proxy or web application firewall to secure endpoints can significantly mitigate risk.

Affected Version(s)

FOSSBilling < 0.8.0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.