CVE-2026-33543
Deferred Deferred - Pending Action

Guest Admin Creation Bypass in FOSSBilling

Vulnerability report for CVE-2026-33543, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fossbilling fossbilling to 0.8.0 (exc)
fossbilling fossbilling 0.8.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking if the vulnerable guest API endpoint /api/guest/staff/create is accessible on your FOSSBilling installation, especially if the version is 0.7.2 or earlier.

You can attempt to detect the vulnerability by sending an unauthenticated HTTP request to the endpoint and observing if it allows creation of a new administrator account.

A simple command using curl to test accessibility of the endpoint might be:

  • curl -X POST https://your-fossbilling-domain/api/guest/staff/create -d '{"username":"testadmin","password":"TestPass123!"}' -H 'Content-Type: application/json' -v

If the endpoint responds positively and allows creation of a new admin account without prior authentication, the system is vulnerable.

Additionally, you can check the version of FOSSBilling installed; versions 0.7.2 and earlier are vulnerable, while version 0.8.0 and later include the fix.

As a temporary mitigation, blocking or restricting access to the /api/guest/staff/create endpoint at the web server or firewall level can help prevent exploitation.

Compliance Impact

The vulnerability allows an attacker to create a new administrator account and gain full privileged access to the system. This unauthorized access could lead to exposure or manipulation of sensitive client and billing data managed by FOSSBilling.

Such unauthorized administrative access can compromise the confidentiality, integrity, and availability of personal and financial data, potentially violating data protection regulations such as GDPR and HIPAA that require strict access controls and protection of sensitive information.

Therefore, this vulnerability negatively impacts compliance with common standards and regulations by undermining the security controls necessary to protect sensitive data.

Executive Summary

This vulnerability exists in FOSSBilling versions 0.7.2 and prior, where a guest API endpoint (/api/guest/staff/create) meant for initial administrator setup remains accessible even after an administrator account has been created.

The issue arises because the check to see if an administrator already exists is flawed. It uses the is_countable() function on a value that returns either a Model_Admin object or null, which is not countable. This causes the check to always evaluate as true, bypassing the intended protection.

As a result, an attacker can access this unprotected endpoint to create a new administrator account and immediately authenticate, gaining full administrative privileges even when an admin already exists.

This vulnerability was fixed in version 0.8.0.

Impact Analysis

An attacker exploiting this vulnerability can create a new administrator account without authorization.

This grants the attacker full administrative access to the FOSSBilling system, allowing them to manage billing and client data, potentially leading to unauthorized data access, modification, or deletion.

Such unauthorized access can compromise the integrity, confidentiality, and availability of the system and its data.

Mitigation Strategies

To mitigate this vulnerability, upgrade FOSSBilling to version 0.8.0 or later, where the issue has been fixed.

Avoid using versions 0.7.2 and prior, as they expose an unprotected guest API endpoint that allows creation of new administrator accounts even after an admin exists.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33543. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart