CVE-2026-43925
Received Received - Intake

Unauthenticated Mass Assignment in FOSSBilling Client Groups

Vulnerability report for CVE-2026-43925, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can gate promo code eligibility, an attacker may apply group-restricted discount codes and receive unauthorized discounts. Version 0.8.0 contains a patch. As a workaround, administrators can either remove group restrictions from promo codes or disable client self-registration (Settings β†’ Clients β†’ Disable signup).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fossbilling fossbilling to 0.8.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in FOSSBilling, an open-source billing and client management system, prior to version 0.8.0. It is an unauthenticated mass assignment vulnerability in the client self-registration endpoint. This means that any visitor, without needing to log in, can assign themselves to any client group they choose during the sign-up process.

Since client groups control access to promo codes, an attacker exploiting this vulnerability can apply group-restricted discount codes and receive unauthorized discounts.

The issue was fixed in version 0.8.0. As a temporary workaround, administrators can either remove group restrictions from promo codes or disable client self-registration.

Impact Analysis

This vulnerability can lead to unauthorized users obtaining discounts they are not entitled to by assigning themselves to privileged client groups during registration.

This can result in financial losses due to misuse of promo codes and discounts.

Additionally, it may undermine the integrity of client group management and promotional campaigns.

Mitigation Strategies

To mitigate this vulnerability, administrators should either remove group restrictions from promo codes or disable client self-registration.

Disabling client self-registration can be done via the application settings: Settings β†’ Clients β†’ Disable signup.

Alternatively, upgrading FOSSBilling to version 0.8.0 or later will apply the patch that fixes this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43925. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart