CVE-2026-27604
Published:June 23, 2026
Updated:June 29, 2026
FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged "/api/system/*" endpoints. Because "system" resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to "/api/system/*" at reverse proxy/WAF, restrict API access by trusted source IPs only ("api.allowed_ips"), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious "/api/system/" access and treat as potential incident.
Affected Packages
https://github.com/FOSSBilling/FOSSBilling.git (GITHUB):
Affected version(s) >=0.5.4 <0.8.0Fix Suggestion:
Update to version 0.8.0Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
10
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
10
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
EPSS
Base Score:
0.41