Exposed API Endpoint in FOSSBilling Allows Unauthorized Access to Sensitive Data
CVE-2026-53647
What is CVE-2026-53647?
The FOSSBilling system, a free and open-source billing solution, has a significant security issue within its Guest API. Specifically, the serviceapikey/get_info endpoint is accessible without any form of authentication in versions 0.5.3 through 0.7.2. This lack of protection allows any user with a valid API key to access all custom configuration parameters stored in the associated database record. These parameters may contain sensitive business information, including pricing tiers and feature flags. The vulnerability has been addressed in version 0.8.0. Temporary workarounds include not storing sensitive information in the custom fields, actively monitoring logs for unusual access patterns, or disabling the Serviceapikey module if it is not in use.
Affected Version(s)
FOSSBilling >= 0.5.3, < 0.8.0
