CVE-2026-33543
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-33543
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
fossbilling fossbilling to 0.8.0 (exc)
fossbilling fossbilling 0.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in FOSSBilling versions 0.7.2 and prior, where a guest API endpoint (/api/guest/staff/create) meant for initial administrator setup remains accessible even after an administrator account has been created.

The issue arises because the check to see if an administrator already exists is flawed. It uses the is_countable() function on a value that returns either a Model_Admin object or null, which is not countable. This causes the check to always evaluate as true, bypassing the intended protection.

As a result, an attacker can access this unprotected endpoint to create a new administrator account and immediately authenticate, gaining full administrative privileges even when an admin already exists.

This vulnerability was fixed in version 0.8.0.

Impact Analysis

An attacker exploiting this vulnerability can create a new administrator account without authorization.

This grants the attacker full administrative access to the FOSSBilling system, allowing them to manage billing and client data, potentially leading to unauthorized data access, modification, or deletion.

Such unauthorized access can compromise the integrity, confidentiality, and availability of the system and its data.

Mitigation Strategies

To mitigate this vulnerability, upgrade FOSSBilling to version 0.8.0 or later, where the issue has been fixed.

Avoid using versions 0.7.2 and prior, as they expose an unprotected guest API endpoint that allows creation of new administrator accounts even after an admin exists.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33543. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart