Privilege Escalation Vulnerability in FOSSBilling by FOSSBilling
CVE-2026-53645

8.5HIGH

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-53645?

FOSSBilling is an open-source billing and client management system that has a vulnerability allowing low-privileged staff accounts to grant arbitrary permissions to themselves using the admin API. This flaw permits users with minimal privileges to bypass role-based access control and elevate their access levels significantly. Versions before 0.8.0 are particularly at risk. To mitigate this issue, it is recommended that organizations restrict the 'staff.create_and_edit_staff' permission to trusted staff only and implement network controls such as a reverse proxy or a web application firewall (WAF) to limit access to critical APIs.

Affected Version(s)

FOSSBilling < 0.8.0

References

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.