๐Ÿ” CVE Alert

CVE-2026-53644

UNKNOWN 0.0

FOSSBilling's missing order-state validation allows clients to read and reset API key secrets for non-active orders

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
16th

FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an `active` state (e.g., `suspended`, `canceled`). The root cause is missing order-state validation in two client API endpoints, despite an `isActive()` helper already existing in the `Serviceapikey` module and the frontend UI correctly gating access on `order.status == 'active'`. Version 0.8.0 contains a fix. Some workarounds are available. If the `Serviceapikey` module is not needed, uninstall it to remove the affected endpoints. One may also use a reverse proxy or WAF to restrict access to `/api/client/order/service` and `/api/client/serviceapikey/reset` based on application-level order-state logic.

CWE CWE-639
Vendor fossbilling
Product fossbilling
Published Jul 6, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for fossbilling fossbilling

Be the first to know when new unknown vulnerabilities affecting fossbilling fossbilling are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

FOSSBilling / FOSSBilling
>= 0.5.3, < 0.8.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-qf6j-vq68-qmfh