CVE-2026-27604

Source
https://cve.org/CVERecord?id=CVE-2026-27604
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27604.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27604
Related
  • GHSA-57mv-jm88-66jc
  • GHSA-78x5-c8gw-8279
Published
2026-06-23T14:25:20.334Z
Modified
2026-07-08T08:14:43.156484Z
Severity
  • 10.0 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions
Details

FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged /api/system/* endpoints. Because system resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to /api/system/* at reverse proxy/WAF, restrict API access by trusted source IPs only (api.allowed_ips), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious /api/system/ access and treat as potential incident.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200",
        "CWE-306",
        "CWE-862",
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27604.json"
}
References

Affected packages

Git / github.com/fossbilling/fossbilling

Affected ranges

Type
GIT
Repo
https://github.com/fossbilling/fossbilling
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0.5.4"
        },
        {
            "fixed": "0.8.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.5.4
0.5.5
0.6.0
0.6.1
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.6.15
0.6.16
0.6.17
0.6.18
0.6.19
0.6.2
0.6.20
0.6.21
0.6.22
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0
0.7.1
0.7.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27604.json"