CVE-2026-53644
FOSSBilling's missing order-state validation allows clients to read and reset API key secrets for non-active orders
FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an `active` state (e.g., `suspended`, `canceled`). The root cause is missing order-state validation in two client API endpoints, despite an `isActive()` helper already existing in the `Serviceapikey` module and the frontend UI correctly gating access on `order.status == 'active'`. Version 0.8.0 contains a fix. Some workarounds are available. If the `Serviceapikey` module is not needed, uninstall it to remove the affected endpoints. One may also use a reverse proxy or WAF to restrict access to `/api/client/order/service` and `/api/client/serviceapikey/reset` based on application-level order-state logic.
| CWE | CWE-639 |
| Vendor | fossbilling |
| Product | fossbilling |
| Published | Jul 6, 2026 |
| Last Updated | Jul 7, 2026 |
Get instant alerts for fossbilling fossbilling
Be the first to know when new unknown vulnerabilities affecting fossbilling fossbilling are published โ delivered to Slack, Telegram or Discord.