CVE-2026-43918
Received Received - Intake

Session Persistence in FOSSBilling After Account Suspension

Vulnerability report for CVE-2026-43918, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php (loggedin_client and loggedin_admin) only reject sessions if the backing account record no longer exists in the database. They do not verify that the account's status is still active. This allows a suspended or deactivated user to retain full access until their session naturally expires. This issue has been fixed in version 0.8.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fossbilling fossbilling to 0.8.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in FOSSBilling versions prior to 0.8.0. When a client or staff/admin account is suspended or marked inactive, the system does not invalidate existing authenticated sessions for that user. The session identity loaders only reject sessions if the account no longer exists in the database, but they do not check if the account is still active. As a result, suspended or deactivated users can continue to access the system with their existing sessions until those sessions expire naturally.

Impact Analysis

This vulnerability can allow suspended or deactivated users to retain full access to the system despite their account status change. This means unauthorized access can persist, potentially leading to unauthorized actions, data exposure, or misuse of system resources until the user's session expires.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade FOSSBilling to version 0.8.0 or later, where the issue has been fixed.

Until the upgrade is applied, consider manually invalidating existing sessions for suspended or deactivated users to prevent continued access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43918. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart