GHSA-pgcq-8grm-5rx9

Suggest an improvement
Source
https://github.com/advisories/GHSA-pgcq-8grm-5rx9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-pgcq-8grm-5rx9/GHSA-pgcq-8grm-5rx9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pgcq-8grm-5rx9
Aliases
  • CVE-2026-55219
Published
2026-06-30T19:11:24Z
Modified
2026-06-30T19:15:08.956898516Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Paymenter has race condition in payWithCredit() that enables credit double-spend
Details

Summary

The credit payment implementation in app/Livewire/Invoices/Show.php executes a pessimistic row lock (lockForUpdate()) outside of an active database transaction. Because MySQL/MariaDB requires an enclosing transaction to enforce row-level locks, the guard is ineffective. Concurrent payment requests can exploit this race condition to read the same credit balance simultaneously, allowing users to pay multiple invoices using the same credit balance.

Technical Details

The issue occurs because the application attempts to lock the user's credit balance row in the database (lockForUpdate()) without opening a database transaction. In database systems like MySQL, a row lock only works inside a formal transaction; without one, the lock is completely ignored.

Because there is no active lock, two payment requests sent at the exact same millisecond can look at the database at the same time. Both requests see the original credit balance, decide it is sufficient, and approve the payment.

Impact

This race condition allows any authenticated user with a valid credit balance to bypass balance restrictions and settle multiple pending invoices simultaneously for the cost of a single invoice.

Because the payment processes successfully through ExtensionHelper::addPayment(), the application provisions the corresponding services or digital goods, resulting in direct financial or resource loss to the platform.

Database specific
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-362"
    ],
    "github_reviewed_at": "2026-06-30T19:11:24Z",
    "github_reviewed": true
}
References

Affected packages

Packagist / paymenter/paymenter

Package

Name
paymenter/paymenter
Purl
pkg:composer/paymenter%2Fpaymenter

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.5

Affected versions

0.*
0.1
0.1.1
0.1.2
0.1.3
0.2
0.2.1
v0.*
v0.3
v0.4
v0.4.1
v0.5
v0.5.1
v0.5.2
v0.5.3
v0.6
v0.7
v0.7.1
v0.8
v0.8.1
v0.8.2
v0.9
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.1.1
v1.5.4

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-pgcq-8grm-5rx9/GHSA-pgcq-8grm-5rx9.json"
last_known_affected_version_range
"<= 1.5.4"