CVE-2026-27604
FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions
In short
FOSSBilling has a critical flaw that allows attackers to access powerful admin functions through the API without logging in or providing any credentials. This means anyone on the internet can potentially take control of billing systems and user data.
Technical detail
An authorization bypass in API role validation (CWE-200, CWE-306, CWE-862, CWE-863) permits unauthenticated requests to `/api/system/*` endpoints by exploiting improper resolution of the 'system' role to cron admin identity. No valid credentials, session tokens, or CSRF protections are enforced, enabling direct invocation of privileged admin API methods. Affects versions 0.5.4 through 0.7.x; patched in 0.8.0.
Summary generated and translated by AI from the official description.
FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected products
FOSSBilling · FOSSBillingWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →