CVE-2026-53644
Received Received - Intake

Authenticated API Key Secret Exposure in FOSSBilling

Vulnerability report for CVE-2026-53644, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an `active` state (e.g., `suspended`, `canceled`). The root cause is missing order-state validation in two client API endpoints, despite an `isActive()` helper already existing in the `Serviceapikey` module and the frontend UI correctly gating access on `order.status == 'active'`. Version 0.8.0 contains a fix. Some workarounds are available. If the `Serviceapikey` module is not needed, uninstall it to remove the affected endpoints. One may also use a reverse proxy or WAF to restrict access to `/api/client/order/service` and `/api/client/serviceapikey/reset` based on application-level order-state logic.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fossbilling fossbilling From 0.5.3 (inc) to 0.7.2 (inc)
fossbilling fossbilling 0.8.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects FOSSBilling versions 0.5.3 through 0.7.2, where authenticated clients can read and reset API key service secrets for orders that are not in an active state, such as suspended or canceled orders.

The root cause is that two client API endpoints lack validation of the order's state, even though a helper function to check if an order is active exists and the frontend UI correctly restricts access based on order status.

This means clients can access sensitive API key information for inactive orders, which should normally be protected.

Version 0.8.0 of FOSSBilling contains a fix for this issue.

Workarounds include uninstalling the Serviceapikey module if it is not needed or using a reverse proxy or WAF to restrict access to the affected API endpoints based on order state.

Impact Analysis

This vulnerability can lead to unauthorized access to API key service secrets for orders that are no longer active.

An attacker or unauthorized client with valid authentication could read or reset API keys for suspended or canceled orders, potentially leading to misuse of services or unauthorized actions.

Such unauthorized access could compromise the security and integrity of the billing and client management system.

Detection Guidance

This vulnerability involves authenticated clients accessing API endpoints to read and reset API key service secrets for orders that are not in an active state. Detection would involve monitoring or inspecting access to the affected endpoints.

Specifically, you can look for requests to the following API endpoints: /api/client/order/service and /api/client/serviceapikey/reset.

Commands or methods to detect this might include inspecting web server logs or using network monitoring tools to filter for HTTP requests to these endpoints from authenticated clients.

  • Use grep or similar tools on server logs to find access to the endpoints, e.g., grep "/api/client/order/service" /var/log/nginx/access.log
  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP traffic for these endpoints.
  • Implement application-level logging or monitoring to track usage of these API endpoints by authenticated users.
Mitigation Strategies

Immediate mitigation steps include upgrading to FOSSBilling version 0.8.0 or later, which contains a fix for this vulnerability.

If upgrading is not immediately possible, consider uninstalling the Serviceapikey module if it is not needed, as this removes the affected endpoints.

Alternatively, use a reverse proxy or Web Application Firewall (WAF) to restrict access to the vulnerable endpoints (/api/client/order/service and /api/client/serviceapikey/reset) based on application-level order-state logic.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53644. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart