CVE-2026-53645
Received Received - Intake

Privilege Escalation in FOSSBilling via API Permission Manipulation

Vulnerability report for CVE-2026-53645, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow a low-privileged staff account to grant arbitrary module permissions to itself through the admin API, resulting in persistent privilege escalation. A staff user that only has `staff.create_and_edit_staff` can call `/api/admin/staff/permissions_update` targeting their own account and write any permission structure, bypassing the intended role-based access control boundary. Version 0.8.0 patches the issue. Some workarounds are available. Restrict the `staff.create_and_edit_staff` permission to only highly trusted staff members and/or use a reverse proxy or WAF to restrict access to `/api/admin/staff/permissions_update` to specific trusted roles.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fossbilling fossbilling to 0.8.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects FOSSBilling versions prior to 0.8.0. It allows a low-privileged staff user, who only has the permission to create and edit staff, to escalate their privileges by granting themselves arbitrary module permissions through the admin API.

Specifically, such a user can call the endpoint /api/admin/staff/permissions_update targeting their own account and modify any permission structure, bypassing the intended role-based access control.

This results in persistent privilege escalation, meaning the user can maintain elevated permissions beyond their original scope.

The issue is patched in version 0.8.0, and some workarounds include restricting the staff.create_and_edit_staff permission to highly trusted staff members or using a reverse proxy or WAF to limit access to the permissions update API.

Impact Analysis

This vulnerability can lead to unauthorized privilege escalation within the FOSSBilling system.

A low-privileged staff user could gain higher-level permissions, potentially allowing them to access sensitive billing and client management functions that should be restricted.

Such unauthorized access could result in data manipulation, unauthorized changes to billing information, or disruption of client management processes.

Overall, it compromises the security and integrity of the billing system and could lead to broader organizational risks.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade FOSSBilling to version 0.8.0 or later, which contains the patch for this issue.

If upgrading immediately is not possible, restrict the permission 'staff.create_and_edit_staff' to only highly trusted staff members.

Additionally, use a reverse proxy or Web Application Firewall (WAF) to restrict access to the endpoint '/api/admin/staff/permissions_update' to specific trusted roles.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53645. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart