CVE-2026-23513
Received Received - Intake
SQL Injection in FOSSBilling Client List Endpoints

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In ServiceTransaction::getSearchQuery() and Order\Service::getSearchQuery(), OR-based search/action filters were appended without grouping, allowing SQL operator precedence to evaluate OR clauses independently of the enforced client_id constraint. Crafted requests could therefore return records and metadata belonging to other clients, including identifiers, amounts, status, timestamps, and related fields. This issue was fixed in version 0.8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-23513
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
fossbilling fossbilling From 0.8.0 (exc)
fossbilling fossbilling to 0.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in FOSSBilling versions 0.7.2 and earlier. It is caused by a flaw in how SQL queries are constructed in certain client list endpoints. Specifically, OR-based search filters were appended without proper grouping, which allowed the SQL operator precedence to bypass the intended client_id restrictions.

As a result, authenticated clients could craft requests that retrieve data belonging to other clients, including sensitive information such as identifiers, amounts, status, timestamps, and related fields.

This issue was fixed in version 0.8.0.

Impact Analysis

The vulnerability allows authenticated clients to bypass tenant scoping and access data of other clients. This can lead to unauthorized disclosure of sensitive client information such as identifiers, financial amounts, status, and timestamps.

Such unauthorized data access can result in privacy violations, potential financial fraud, loss of client trust, and damage to the reputation of the organization using FOSSBilling.

Mitigation Strategies

To mitigate this vulnerability, upgrade FOSSBilling to version 0.8.0 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows authenticated clients to bypass tenant scoping and retrieve other clients’ data, including identifiers, amounts, status, timestamps, and related fields.

Such unauthorized access to other clients' sensitive data could lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls on personal and sensitive information to prevent unauthorized disclosure.

Therefore, exploitation of this vulnerability may result in non-compliance with these regulations due to improper data isolation and potential data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23513. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart