CVE-2026-43927
Received Received - Intake

Race Condition in FOSSBilling Promo Code Validation

Vulnerability report for CVE-2026-43927, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond its configured maximum uses. By sending concurrent checkout requests before any single request completes the usage increment, a client can obtain unlimited discounted or free orders from a single-use or limited-use promo code. Version 0.8.0 patches the issue. Some workarounds are available. Disable promo codes entirely until a patch is available or monitor the `promo` table for `used` values exceeding `maxuses` and manually review affected orders.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fossbilling fossbilling to 0.8.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can lead to financial loss because an attacker or malicious client can exploit the race condition to use promo codes more times than allowed, potentially obtaining unlimited discounted or free products or services.

It undermines the intended business logic and promotional controls, allowing abuse of limited-use promo codes which can affect revenue and trust in the billing system.

Executive Summary

This vulnerability exists in FOSSBilling, an open-source billing and client management system, prior to version 0.8.0. It is caused by a race condition in the cart checkout flow that allows an authenticated client to apply a promo code more times than its configured maximum usage limit.

By sending multiple concurrent checkout requests before any single request completes updating the promo code usage count, a client can bypass the usage limit and obtain unlimited discounted or free orders from a promo code that is intended for single or limited use.

Version 0.8.0 of FOSSBilling patches this issue. Workarounds include disabling promo codes until the patch is applied or monitoring the promo code usage in the database to detect and manually review any promo codes used beyond their allowed limits.

Detection Guidance

This vulnerability can be detected by monitoring the promo code usage in the system. Specifically, you should monitor the `promo` table for `used` values that exceed the configured `maxuses` value.

Since the issue involves concurrent checkout requests, you can also look for multiple simultaneous checkout requests applying the same promo code before the usage count increments.

A suggested approach is to query the database to find promo codes where the number of times used exceeds the maximum allowed uses.

  • Example SQL command to detect overused promo codes: SELECT promo_code, used, maxuses FROM promo WHERE used > maxuses;
  • Monitor web server logs or application logs for concurrent checkout requests using the same promo code.
Mitigation Strategies

The immediate mitigation step is to disable promo codes entirely until the system is patched to version 0.8.0 or later.

Alternatively, you can monitor the `promo` table for any promo codes where the `used` count exceeds the `maxuses` and manually review and address affected orders.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43927. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart