CVE-2026-23513
FOSSBilling: Broken Authorization in Client Transaction and Order Listings
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clientsβ data. Details In ServiceTransaction::getSearchQuery() and Order\Service::getSearchQuery(), OR-based search/action filters were appended without grouping, allowing SQL operator precedence to evaluate OR clauses independently of the enforced client_id constraint. Crafted requests could therefore return records and metadata belonging to other clients, including identifiers, amounts, status, timestamps, and related fields. This issue was fixed in version 0.8.0.
| CWE | CWE-863 |
| Vendor | fossbilling |
| Product | fossbilling |
| Published | Jun 23, 2026 |
Get instant alerts for fossbilling fossbilling
Be the first to know when new unknown vulnerabilities affecting fossbilling fossbilling are published β delivered to Slack, Telegram or Discord.