Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-53640— FOSSBilling missing authorization checks on read-only admin API endpoints expose sensitive staff, client, and redirect data

AI Predicted 7.5 Difficulty: Easy EPSS 0.23% · P13

Possible ATT&CK Techniques 1AI

T1078 · Valid Accounts

Affected Version Matrix 1

VendorProductVersion RangeStatus
FOSSBillingFOSSBilling< 0.8.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53640

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
FOSSBilling missing authorization checks on read-only admin API endpoints expose sensitive staff, client, and redirect data
Source: NVD (National Vulnerability Database)
Vulnerability Description
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, low-privileged staff accounts may read sensitive data via admin API endpoints that lack permission checks. While sibling write endpoints correctly enforce fine-grained permissions, the corresponding read endpoints have no authorization guards. Version 0.8.0 contains a fix. Some workarounds are available. Restrict staff accounts to only those who need access to sensitive data and/or use a reverse proxy or WAF to restrict access to the affected endpoints.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
FOSSBilling 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
fossbilling是fossbilling团队开源的一种高效计费和客户管理方案。 FOSSBilling 0.8.0之前版本存在安全漏洞,该漏洞源于admin API端点缺少权限检查,可能导致低权限员工账户读取敏感数据。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
FOSSBillingFOSSBilling < 0.8.0 -

II. Public POCs for CVE-2026-53640

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53640

登录查看更多情报信息。

Vendor Advisories for CVE-2026-53640 (1)

Same Patch Batch · FOSSBilling · 2026-07-06 · 17 CVEs total

CVE-2026-42341FOSSBilling has an unauthenticated payment bypass via IPN callback forgery
CVE-2026-42331FOSSBilling missing authorization in guest Invoice API endpoints
CVE-2026-33734FOSSBilling has improper SQL neutralization in `Massmailer` recipient filters
CVE-2026-43921FOSSBilling vulnerable to arbitrary PHP code injection via unescaped config serialization
CVE-2026-43918Suspended or inactive FOSSBilling accounts can retain or regain access through existing se
CVE-2026-43927FOSSBilling has race condition in cart checkout that bypasses promo code usage limits
CVE-2026-43925FOSSBilling: Mass assignment of group_id in guest client registration allows unauthorized
CVE-2026-43928FOSSBilling: Payment amount not validated in PayPalEmail adapter allows invoice underpayme
CVE-2026-53641FOSSBilling has stored XSS in client email views via unescaped content in JavaScript templ
CVE-2026-53645FOSSBilling's missing self-edit prevention in staff permission management allows persisten
CVE-2026-53646FOSSBilling: Client password reset token reuse allows persistent account takeover
CVE-2026-53643FOSSBilling allows low-privileged staff accounts to perform unauthorized actions via admin
CVE-2026-53644FOSSBilling's missing order-state validation allows clients to read and reset API key secr
CVE-2026-53642FOSSBilling: Unverified clients can access client-area pages when email confirmation is re
CVE-2026-53647FOSSBilling vulnerable to unauthenticated API key configuration disclosure via guest Servi
CVE-2026-53648FOSSBilling: Downloadable product files can be overwritten through filename collisions

IV. Related Vulnerabilities

V. Comments for CVE-2026-53640

No comments yet


Leave a comment