CVE-2026-53647

Source
https://cve.org/CVERecord?id=CVE-2026-53647
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53647.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53647
Aliases
  • GHSA-737q-9gpr-6mpq
Published
2026-07-06T23:10:29.692Z
Modified
2026-07-15T01:48:51.491349113Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
FOSSBilling vulnerable to unauthenticated API key configuration disclosure via guest Serviceapikey get_info endpoint
Details

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest serviceapikey/get_info API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters (custom_* fields) stored in the key's database record. These custom fields are populated by billing administrators and can contain business-sensitive data such as pricing tiers, feature flags, rate limits, expiry overrides, or access scope data. Version 0.8.0 patches the issue. Some workarounds are available. Administrators can avoid storing sensitive data in custom_* API key configuration fields, monitor API logs for suspicious calls to /api/guest/serviceapikey/get_info, and/or disable the Serviceapikey module if not in active use.

Database specific
{
    "cwe_ids": [
        "CWE-200",
        "CWE-306",
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53647.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/fossbilling/fossbilling

Affected ranges

Type
GIT
Repo
https://github.com/fossbilling/fossbilling
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0.5.3"
        },
        {
            "fixed": "0.8.0"
        },
        {
            "fixed": "0.7.2"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ]
}

Affected versions

0.*
0.5.3
0.5.4
0.5.5
0.6.0
0.6.1
0.6.10
0.6.11
0.6.12
0.6.13
0.6.14
0.6.15
0.6.16
0.6.17
0.6.18
0.6.19
0.6.2
0.6.20
0.6.21
0.6.22
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0
0.7.1
0.7.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53647.json"