CVE-2026-33543
FOSSBilling: Authentication bypass allows unauthenticated administrator creation
FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.
| CWE | CWE-288 CWE-306 |
| Vendor | fossbilling |
| Product | fossbilling |
| Published | Jun 24, 2026 |
Get instant alerts for fossbilling fossbilling
Be the first to know when new unknown vulnerabilities affecting fossbilling fossbilling are published โ delivered to Slack, Telegram or Discord.