CVE-2026-27604

UNKNOWN 0.0

FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident.

CWE	CWE-200 CWE-306 CWE-862 CWE-863
Vendor	fossbilling
Product	fossbilling
Published	Jun 23, 2026
Last Updated	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for fossbilling fossbilling

Be the first to know when new unknown vulnerabilities affecting fossbilling fossbilling are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

FOSSBilling / FOSSBilling

>= 0.5.4, < 0.8.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-78x5-c8gw-8279 github.com: https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-57mv-jm88-66jc vulncheck.com: https://www.vulncheck.com/blog/fossbilling-auth-bypass-ssti-rce