CVE-2026-27604

EPSS 0.41%
Veröffentlicht 23.06.2026 14:25:20
Zuletzt bearbeitet 23.06.2026 16:16:59
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions

FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 4 Referenzen 6

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerFOSSBilling

≫

Produkt FOSSBilling

Version >= 0.5.4, < 0.8.0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.41%	0.324

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	10	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-78x5-c8gw-8279

https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-57mv-jm88-66jc

https://www.vulncheck.com/blog/fossbilling-auth-bypass-ssti-rce

https://nvd.nist.gov/vuln/detail/CVE-2026-27604

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27604

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27604

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27604