CVE-2026-42331
Received Received - Intake

Unauthenticated Invoice Payment Gateway Modification in FOSSBilling

Vulnerability report for CVE-2026-42331, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-related endpoints, allowing an unauthenticated user with knowledge of an invoice hash to modify the payment gateway associated with an unpaid invoice. An attacker who obtains an invoice hash, which may leak through shared URLs, referrer headers, or email links, can change the `gateway_id` on an unpaid invoice to any payment gateway configured in the system. This does not allow redirecting payments to an arbitrary external endpoint, as the gateway must already be installed and configured by an administrator. The practical impact is further limited by the `invoice_accessible_from_hash` system setting. Version 0.8.0 contains a patch. No known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fossbilling fossbilling to 0.8.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in FOSSBilling versions prior to 0.8.0, specifically in the Guest API invoice/update endpoint. Unlike other invoice-related endpoints, this endpoint lacks an authorization check, allowing an unauthenticated user who knows an invoice hash to modify the payment gateway associated with an unpaid invoice.

An attacker can obtain an invoice hash through shared URLs, referrer headers, or email links, and then change the `gateway_id` on the unpaid invoice to any payment gateway configured in the system. However, the attacker cannot redirect payments to arbitrary external endpoints since the gateway must already be installed and configured by an administrator.

The impact is somewhat limited by the system setting `invoice_accessible_from_hash`. The issue was patched in version 0.8.0, and no known workarounds exist.

Impact Analysis

This vulnerability allows an unauthenticated attacker to modify the payment gateway on an unpaid invoice if they know the invoice hash. This could lead to unauthorized changes in how payments are processed within the system.

While the attacker cannot redirect payments to arbitrary external endpoints, they can switch the payment gateway to any configured gateway, potentially causing confusion, misrouting of payments, or disruption in billing processes.

The practical impact is limited by system settings and the requirement that gateways must be pre-configured by an administrator.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade FOSSBilling to version 0.8.0 or later, which contains a patch for the missing authorization check in the Guest API invoice/update endpoint.

No known workarounds are available, so applying the official patch by upgrading is the recommended action.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42331. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart