CVE-2026-27708
Received Received - Intake
Insecure Direct Object Reference in FOSSBilling Prior to 0.8.0

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach β€” attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-27708
EUVD
EUVD-2026-39052
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
fossbilling fossbilling to 0.8.0 (exc)
fossbilling fossbilling 0.8.0
fossbilling fossbilling 0.1.0
fossbilling fossbilling 0.7.2
fossbilling fossbilling From 0.1.0 (inc) to 0.7.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in FOSSBilling versions 0.7.2 and earlier, where the Servicecustom Client API's __call method accepts an order_id parameter and retrieves the associated order without verifying that the authenticated client actually owns it.

Because of this lack of ownership verification, an authenticated client can guess sequential order IDs and access other clients' custom services, leading to an Insecure Direct Object Reference (IDOR) vulnerability.

This allows attackers to read sensitive client information such as personally identifiable information (PII) including name, email, phone, address, company details, VAT number, and service configuration data belonging to other clients.

The issue was fixed in version 0.8.0.

Impact Analysis

This vulnerability can lead to a confidentiality breach where an attacker, who is an authenticated client, can access sensitive information of other clients by guessing order IDs.

  • Exposure of personally identifiable information (PII) such as names, emails, phone numbers, addresses, company details, and VAT numbers.
  • Unauthorized access to other clients' service configuration data.

Such exposure can result in privacy violations, loss of trust, and potential misuse of sensitive data.

Mitigation Strategies

To mitigate this vulnerability, upgrade FOSSBilling to version 0.8.0 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows unauthorized access to personally identifiable information (PII) such as names, emails, phone numbers, addresses, company details, and VAT numbers of clients by exploiting an Insecure Direct Object Reference (IDOR) flaw. Such unauthorized disclosure of PII can lead to breaches of confidentiality, which may violate data protection regulations like GDPR and HIPAA that require strict controls over access to sensitive personal data.

Because the vulnerability enables attackers to read sensitive client data without proper authorization, it undermines compliance with standards mandating data confidentiality and access controls. Organizations using affected versions of FOSSBilling prior to 0.8.0 could be at risk of non-compliance if this vulnerability is exploited.

Detection Guidance

This vulnerability can be detected by monitoring API requests to the Servicecustom Client API that include the order_id parameter. Specifically, look for authenticated client requests that attempt to access order data by manipulating or enumerating sequential order_id values.

Commands to detect potential exploitation attempts may include inspecting web server logs or API request logs for unusual patterns of order_id values being accessed by a single client, especially sequential or out-of-range IDs.

  • Use grep or similar tools to search logs for API calls containing 'order_id' parameters, for example: grep 'order_id=' /var/log/nginx/access.log
  • Monitor for repeated requests from the same authenticated client IP or user agent that increment order_id values sequentially.
  • Use network traffic analysis tools like Wireshark or tcpdump to capture and filter HTTP requests to the vulnerable API endpoint, looking for order_id parameter manipulation.

Since the vulnerability requires authentication, verifying access control logs or authentication logs for suspicious activity related to order_id access can also help detect exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27708. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart