Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 07 Jul 2026 00:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Fossbilling
Fossbilling fossbilling |
|
| Vendors & Products |
Fossbilling
Fossbilling fossbilling |
Mon, 06 Jul 2026 23:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow low-privileged staff accounts to perform unauthorized actions via admin API endpoints. The root cause is a combination of the `can_always_access` module flag (which grants all staff access to certain modules) and insufficient permission checks or unsafe parameter handling on individual endpoints. Version 0.8.0 contains a fix. Some workarounds are available. Restrict staff accounts to only those who need access to sensitive settings and/or use a reverse proxy or WAF to restrict access to the affected endpoints to trusted IP addresses or higher-privilege roles. | |
| Title | FOSSBilling allows low-privileged staff accounts to perform unauthorized actions via admin API endpoints | |
| Weaknesses | CWE-200 CWE-639 CWE-862 |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-06T22:49:50.500Z
Reserved: 2026-06-09T20:16:59.648Z
Link: CVE-2026-53643
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-07T00:30:03Z