Exposed API Endpoint in FOSSBilling Allows Unauthorized Access to Sensitive Data
CVE-2026-53647

6.9MEDIUM

Key Information:

Vendor
CVE Published:
6 July 2026

What is CVE-2026-53647?

The FOSSBilling system, a free and open-source billing solution, has a significant security issue within its Guest API. Specifically, the serviceapikey/get_info endpoint is accessible without any form of authentication in versions 0.5.3 through 0.7.2. This lack of protection allows any user with a valid API key to access all custom configuration parameters stored in the associated database record. These parameters may contain sensitive business information, including pricing tiers and feature flags. The vulnerability has been addressed in version 0.8.0. Temporary workarounds include not storing sensitive information in the custom fields, actively monitoring logs for unusual access patterns, or disabling the Serviceapikey module if it is not in use.

Affected Version(s)

FOSSBilling >= 0.5.3, < 0.8.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.