Authentication Token Reuse in FOSSBilling Vulnerability
CVE-2026-53646
What is CVE-2026-53646?
FOSSBilling, a popular open-source billing and client management system, has a vulnerability stemming from its client password reset mechanism in versions ranging from 0.5.6 to 0.7.2. Specifically, when a password reset token exists due to a prior request, any subsequent requests to reset the password utilize the original token, which remains valid despite the client's intention to generate a new one. This is due to the 15-minute window for the token's validity being tied to the timestamp of the initial request rather than the current action. Consequently, an attacker with access to the original reset link can successfully reset a user's password even after a new request has been made. The issue is rectified in version 0.8.0. For users seeking immediate mitigation, implementing per-IP rate limiting on the reset endpoint via a reverse proxy is recommended.
Affected Version(s)
FOSSBilling >= 0.5.6, < 0.8.0
