CVE-2026-27708

UNKNOWN 0.0

FOSSBilling: IDOR in Servicecustom Client API allows cross-client data access

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach — attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0.

CWE	CWE-284 CWE-639 CWE-862
Vendor	fossbilling
Product	fossbilling
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for fossbilling fossbilling

Be the first to know when new unknown vulnerabilities affecting fossbilling fossbilling are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

FOSSBilling / FOSSBilling

< 0.8.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-p36w-9x66-488j github.com: https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0