CVE-2026-43920
Received Received - Intake
Unauthenticated Remote Code Execution in FOSSBilling

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, which allowed unauthenticated remote users to trigger update patch routines that modify configuration files, execute database schema changes, perform filesystem mutations, and clear caches. The /run-patcher endpoint executes privileged maintenance operations - configuration migrations, database patch execution (including ALTER TABLE, DROP TABLE, UPDATE statements), filesystem deletions and renames, and cache clearing - without requiring administrator authentication, CSRF validation, or CLI context. An unauthenticated remote attacker can trigger these operations by sending a simple HTTP GET request to /run-patcher, which can be abused for denial-of-service attacks. Certain patches (e.g., batch token regeneration for all admin and client accounts in patch 53, and session invalidation) are disruptive even when re-executed against an already-patched instance. Repeated or concurrent requests may also cause inconsistent database state. This issue has been fixed in version 0.8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-43920
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
fossbilling fossbilling From 0.5.4 (inc) to 0.7.2 (inc)
fossbilling fossbilling 0.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-43920 is a vulnerability in FOSSBilling versions 0.5.4 through 0.7.2 where the /run-patcher maintenance endpoint is accessible without authentication.

This endpoint allows unauthenticated remote users to trigger privileged maintenance operations such as modifying configuration files, executing database schema changes (including ALTER TABLE, DROP TABLE, and UPDATE statements), performing filesystem deletions and renames, and clearing caches.

Because these operations can be triggered by a simple HTTP GET request without requiring administrator authentication, CSRF validation, or CLI context, attackers can exploit this to cause denial-of-service attacks, inconsistent database states, or unauthorized modifications.

Impact Analysis

This vulnerability can impact you by allowing unauthenticated remote attackers to execute critical maintenance operations on your FOSSBilling system.

  • Denial-of-service attacks by triggering disruptive patch routines repeatedly.
  • Unauthorized modifications to configuration files and database schema, potentially corrupting or destabilizing your system.
  • Filesystem mutations such as deletions and renames that could disrupt normal operations.
  • Cache clearing that might affect system performance or behavior unexpectedly.
  • Potential inconsistent database states caused by repeated or concurrent requests.
Detection Guidance

This vulnerability can be detected by checking if the /run-patcher endpoint is accessible without authentication on your FOSSBilling installation versions 0.5.4 through 0.7.2.

A simple way to test this is by sending an unauthenticated HTTP GET request to the /run-patcher endpoint and observing if it triggers maintenance operations.

For example, you can use the following command to test accessibility from a terminal:

  • curl -v http://your-fossbilling-server/run-patcher

If the endpoint responds and triggers patch routines without requiring authentication, the system is vulnerable.

Additionally, monitoring web server logs for unexpected GET requests to /run-patcher can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include blocking external access to the /run-patcher endpoint at the web server level to prevent unauthenticated remote triggering of maintenance operations.

Alternatively, avoid using the /run-patcher web endpoint for applying database patches and instead apply patches via the command line interface (CLI), which requires proper authentication.

Ultimately, upgrading FOSSBilling to version 0.8.0 or later is recommended, as this version fixes the vulnerability by requiring authentication and improving security controls.

Before upgrading, review the release notes for potential breaking changes and back up your installation.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to execute privileged maintenance operations that modify configuration files, database schemas, and filesystem contents without authentication. This can lead to unauthorized data modifications, potential denial-of-service, and inconsistent database states.

Such unauthorized access and potential data integrity issues could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls, data integrity, and protection against unauthorized modifications.

However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43920. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart