CVE-2026-23513— FOSSBilling: Broken Authorization in Client Transaction and Order Listings
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23513
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FOSSBilling: Broken Authorization in Client Transaction and Order Listings
Source: NVD (National Vulnerability Database)
Vulnerability Description
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In ServiceTransaction::getSearchQuery() and Order\Service::getSearchQuery(), OR-based search/action filters were appended without grouping, allowing SQL operator precedence to evaluate OR clauses independently of the enforced client_id constraint. Crafted requests could therefore return records and metadata belonging to other clients, including identifiers, amounts, status, timestamps, and related fields. This issue was fixed in version 0.8.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| FOSSBilling | FOSSBilling | < 0.8.0 | - |
II. Public POCs for CVE-2026-23513
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23513
请登录查看更多情报信息。
Vendor Pages for CVE-2026-23513 (1)
Other References for CVE-2026-23513 (1)
Same Patch Batch · FOSSBilling · 2026-06-23 · 4 CVEs total
| CVE-2026-27604 | FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privi | |
| CVE-2026-28496 | FOSSBilling: Server-side template injection in Twig template rendering enables information | |
| CVE-2025-64105 | FOSSBilling: IDOR Vulnerability in Support Ticket Creation |
IV. Related Vulnerabilities
Same product: FOSSBilling
- CVE-2026-43920
FOSSBilling: Unauthenticated update patcher endpoint allows - CVE-2026-33543
FOSSBilling: Authentication bypass allows unauthenticated ad - CVE-2026-27708
FOSSBilling: IDOR in Servicecustom Client API allows cross-c - CVE-2025-64105
FOSSBilling: IDOR Vulnerability in Support Ticket Creation - CVE-2026-27604
FOSSBilling: Improper API Role Validation (system) Enables U
Same vendor: FOSSBilling
- CVE-2026-43920
FOSSBilling: Unauthenticated update patcher endpoint allows - CVE-2026-33543
FOSSBilling: Authentication bypass allows unauthenticated ad - CVE-2026-27708
FOSSBilling: IDOR in Servicecustom Client API allows cross-c - CVE-2025-64105
FOSSBilling: IDOR Vulnerability in Support Ticket Creation - CVE-2026-27604
FOSSBilling: Improper API Role Validation (system) Enables U
Same weakness: CWE-863
- CVE-2026-9640
LXD Snapshot Import Privilege Escalation Vulnerability - CVE-2026-54091
File Browser: Incorrect access control in public directory s - CVE-2026-54096
File Browser: Improper Access Control Occurs via Pre-Created - CVE-2026-54573
Authorization Bypass in API Key/OAuth Scopes via Path Parsin - CVE-2026-0934
Incorrect Authorization in GitLab
V. Comments for CVE-2026-23513
No comments yet