Authentication Token Reuse in FOSSBilling Vulnerability
CVE-2026-53646

7.7HIGH

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-53646?

FOSSBilling, a popular open-source billing and client management system, has a vulnerability stemming from its client password reset mechanism in versions ranging from 0.5.6 to 0.7.2. Specifically, when a password reset token exists due to a prior request, any subsequent requests to reset the password utilize the original token, which remains valid despite the client's intention to generate a new one. This is due to the 15-minute window for the token's validity being tied to the timestamp of the initial request rather than the current action. Consequently, an attacker with access to the original reset link can successfully reset a user's password even after a new request has been made. The issue is rectified in version 0.8.0. For users seeking immediate mitigation, implementing per-IP rate limiting on the reset endpoint via a reverse proxy is recommended.

Affected Version(s)

FOSSBilling >= 0.5.6, < 0.8.0

References

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.