CVE-2026-53642
Received Received - Intake

Unauthorized Data Access in FOSSBilling Due to Missing Email Verification

Vulnerability report for CVE-2026-53642, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when the "Require Email Confirmation" setting is enabled, a logged-in client with an unverified email address (`email_approved = 0`) can access all client-area pages (e.g. `/client/balance`, `/client/order/list`, `/client/invoice`) and read real account data, including wallet balances and transaction history. The API-side enforcement correctly restricts unverified clients to only profile-related endpoints, but the page-side enforcement is overly permissive, allowing any request whose path starts with `/client`. Version 0.8.0 contains a fix. No known workarounds that don't involve modifying the source code are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fossbilling fossbilling From 0.5.6 (inc) to 0.7.2 (inc)
fossbilling fossbilling 0.8.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects FOSSBilling versions 0.5.6 through 0.7.2 when the "Require Email Confirmation" setting is enabled. A logged-in client whose email address is unverified (email_approved = 0) can access all client-area pages, such as balance, order list, and invoice pages, and view real account data including wallet balances and transaction history. Although the API restricts unverified clients to profile-related endpoints, the web page enforcement is too permissive and allows access to any URL path starting with /client.

This means that unverified users can see sensitive account information they should not have access to. The issue was fixed in version 0.8.0, and no known workarounds exist without modifying the source code.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive client information such as wallet balances and transaction history to users who have not verified their email addresses. This could result in privacy breaches, loss of trust, and potential misuse of exposed financial data.

Mitigation Strategies

The vulnerability exists in FOSSBilling versions 0.5.6 through 0.7.2 when the "Require Email Confirmation" setting is enabled. The issue allows logged-in clients with unverified email addresses to access client-area pages and read sensitive account data.

The immediate mitigation step is to upgrade FOSSBilling to version 0.8.0 or later, which contains a fix for this vulnerability.

No known workarounds exist that do not involve modifying the source code.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53642. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart