CVE-2026-27708

EPSS 0.27%
Veröffentlicht 24.06.2026 19:24:50
Zuletzt bearbeitet 25.06.2026 20:17:10
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

FOSSBilling: IDOR in Servicecustom Client API allows cross-client data access

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach — attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 5

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerFOSSBilling

≫

Produkt FOSSBilling

Version < 0.8.0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.27%	0.178

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0

https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-p36w-9x66-488j

https://nvd.nist.gov/vuln/detail/CVE-2026-27708

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27708

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27708

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27708