CVE-2026-43918
Suspended or inactive FOSSBilling accounts can retain or regain access through existing sessions, API tokens, and password reset flows
CVSS Score
0.0
EPSS Score
0.2%
EPSS Percentile
14th
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php (loggedin_client and loggedin_admin) only reject sessions if the backing account record no longer exists in the database. They do not verify that the account's status is still active. This allows a suspended or deactivated user to retain full access until their session naturally expires. This issue has been fixed in version 0.8.0.
| CWE | CWE-613 |
| Vendor | fossbilling |
| Product | fossbilling |
| Published | Jul 6, 2026 |
| Last Updated | Jul 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for fossbilling fossbilling
Be the first to know when new unknown vulnerabilities affecting fossbilling fossbilling are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
FOSSBilling / FOSSBilling
< 0.8.0