CVE-2026-53642
FOSSBilling: Unverified clients can access client-area pages when email confirmation is required
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when the "Require Email Confirmation" setting is enabled, a logged-in client with an unverified email address (`email_approved = 0`) can access all client-area pages (e.g. `/client/balance`, `/client/order/list`, `/client/invoice`) and read real account data, including wallet balances and transaction history. The API-side enforcement correctly restricts unverified clients to only profile-related endpoints, but the page-side enforcement is overly permissive, allowing any request whose path starts with `/client`. Version 0.8.0 contains a fix. No known workarounds that don't involve modifying the source code are available.
| CWE | CWE-863 |
| Vendor | fossbilling |
| Product | fossbilling |
| Published | Jul 6, 2026 |
| Last Updated | Jul 7, 2026 |
Get instant alerts for fossbilling fossbilling
Be the first to know when new unknown vulnerabilities affecting fossbilling fossbilling are published โ delivered to Slack, Telegram or Discord.