Privilege Escalation Vulnerability in FOSSBilling by FOSSBilling
CVE-2026-53645
8.5HIGH
What is CVE-2026-53645?
FOSSBilling is an open-source billing and client management system that has a vulnerability allowing low-privileged staff accounts to grant arbitrary permissions to themselves using the admin API. This flaw permits users with minimal privileges to bypass role-based access control and elevate their access levels significantly. Versions before 0.8.0 are particularly at risk. To mitigate this issue, it is recommended that organizations restrict the 'staff.create_and_edit_staff' permission to trusted staff only and implement network controls such as a reverse proxy or a web application firewall (WAF) to limit access to critical APIs.
Affected Version(s)
FOSSBilling < 0.8.0
