API Key Vulnerability in FOSSBilling Affects Client Management System
CVE-2026-53644

8.6HIGH

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-53644?

The vulnerability in FOSSBilling arises from a lack of sufficient validation on the order state in certain client API endpoints. Authenticated users can exploit this flaw to read and reset API key service secrets for orders that are not actively managed, such as those that are suspended or canceled. Despite the existence of an isActive() function within the related module, the API does not enforce this condition, leading to unauthorized access. To mitigate this issue, users can upgrade to version 0.8.0 or implement workarounds, including uninstalling the Serviceapikey module or employing security measures such as reverse proxies or WAFs to limit access based on actual order-state logic.

Affected Version(s)

FOSSBilling >= 0.5.3, < 0.8.0

References

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.