Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-53645— FOSSBilling's missing self-edit prevention in staff permission management allows persistent privilege escalation

AI Predicted 7.8 Difficulty: Trivial EPSS 0.24% · P15

Affected Version Matrix 1

VendorProductVersion RangeStatus
FOSSBillingFOSSBilling< 0.8.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53645

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
FOSSBilling's missing self-edit prevention in staff permission management allows persistent privilege escalation
Source: NVD (National Vulnerability Database)
Vulnerability Description
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow a low-privileged staff account to grant arbitrary module permissions to itself through the admin API, resulting in persistent privilege escalation. A staff user that only has `staff.create_and_edit_staff` can call `/api/admin/staff/permissions_update` targeting their own account and write any permission structure, bypassing the intended role-based access control boundary. Version 0.8.0 patches the issue. Some workarounds are available. Restrict the `staff.create_and_edit_staff` permission to only highly trusted staff members and/or use a reverse proxy or WAF to restrict access to `/api/admin/staff/permissions_update` to specific trusted roles.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
特权管理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
FOSSBilling 权限许可和访问控制问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
fossbilling是fossbilling团队开源的一种高效计费和客户管理方案。 FOSSBilling 0.8.0之前版本存在权限许可和访问控制问题漏洞,该漏洞源于低权限的员工账户可通过admin API授予自身任意模块权限,绕过基于角色的访问控制边界,导致持久权限提升。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
FOSSBillingFOSSBilling < 0.8.0 -

II. Public POCs for CVE-2026-53645

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53645

登录查看更多情报信息。

Vendor Advisories for CVE-2026-53645 (1)

Same Patch Batch · FOSSBilling · 2026-07-06 · 17 CVEs total

CVE-2026-42341FOSSBilling has an unauthenticated payment bypass via IPN callback forgery
CVE-2026-42331FOSSBilling missing authorization in guest Invoice API endpoints
CVE-2026-33734FOSSBilling has improper SQL neutralization in `Massmailer` recipient filters
CVE-2026-43921FOSSBilling vulnerable to arbitrary PHP code injection via unescaped config serialization
CVE-2026-43918Suspended or inactive FOSSBilling accounts can retain or regain access through existing se
CVE-2026-43927FOSSBilling has race condition in cart checkout that bypasses promo code usage limits
CVE-2026-43925FOSSBilling: Mass assignment of group_id in guest client registration allows unauthorized
CVE-2026-43928FOSSBilling: Payment amount not validated in PayPalEmail adapter allows invoice underpayme
CVE-2026-53640FOSSBilling missing authorization checks on read-only admin API endpoints expose sensitive
CVE-2026-53641FOSSBilling has stored XSS in client email views via unescaped content in JavaScript templ
CVE-2026-53646FOSSBilling: Client password reset token reuse allows persistent account takeover
CVE-2026-53643FOSSBilling allows low-privileged staff accounts to perform unauthorized actions via admin
CVE-2026-53644FOSSBilling's missing order-state validation allows clients to read and reset API key secr
CVE-2026-53642FOSSBilling: Unverified clients can access client-area pages when email confirmation is re
CVE-2026-53647FOSSBilling vulnerable to unauthenticated API key configuration disclosure via guest Servi
CVE-2026-53648FOSSBilling: Downloadable product files can be overwritten through filename collisions

IV. Related Vulnerabilities

V. Comments for CVE-2026-53645

No comments yet


Leave a comment