CVE-2026-42341 in FOSSBilling
Summary
by MITRE • 07/06/2026
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and credit the associated client account without making an actual payment, by sending a single crafted HTTP request. Version 0.8.0 patches the issue. Some workarounds are available. Disable the Custom payment gateway if not actively needed and/or restrict access to `/ipn.php` at the web server level (e.g., via IP allowlisting), noting that this may interfere with legitimate payment callback processing.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/06/2026
The vulnerability in FOSSBilling represents a critical authorization flaw that undermines the integrity of the billing system's payment processing mechanism. This unauthenticated payment bypass affects versions 0.6.0 through 0.7.2 and specifically targets the IPN (Instant Payment Notification) callback endpoint within the Custom payment adapter functionality. The flaw stems from insufficient validation of incoming requests, allowing malicious actors to manipulate the system's payment status without proper authentication or authorization. This vulnerability directly maps to CWE-285: Improper Authorization, which classifies issues where systems fail to properly verify that an actor is authorized to perform a requested operation. The security weakness creates a pathway for attackers to manipulate financial records and client accounts through simple HTTP requests.
The technical implementation of this vulnerability exploits the lack of proper input validation and authentication checks within the IPN processing endpoint. When the Custom payment adapter is enabled, any attacker capable of sending a crafted HTTP request to the `/ipn.php` endpoint can manipulate unpaid invoices to appear as paid status while simultaneously crediting client accounts with corresponding amounts. This bypass occurs because the system does not validate whether the incoming request originates from an authorized payment processor or contains proper authentication tokens. The vulnerability allows for arbitrary invoice manipulation and account crediting without requiring legitimate payment processing, effectively enabling financial fraud through simple network requests.
The operational impact of this vulnerability extends beyond simple unauthorized access to include potential financial losses, client account manipulation, and compromise of the entire billing system's trust model. Attackers can exploit this flaw to create false payments for any unpaid invoice in the system, potentially affecting multiple clients simultaneously if not properly isolated. This represents a significant risk to service providers who rely on FOSSBilling for managing client relationships and financial transactions. The vulnerability creates an environment where unauthorized individuals can manipulate payment records, potentially leading to revenue loss, customer disputes, and system integrity compromise that requires extensive forensic analysis and recovery measures.
Organizations affected by this vulnerability should implement immediate mitigations including disabling the Custom payment gateway if not actively required in their deployment environments. Network-level restrictions through web server configuration, such as IP allowlisting for access to `/ipn.php`, can provide additional protection but must be carefully implemented to avoid disrupting legitimate payment processing operations. The patch released in version 0.8.0 addresses the core authorization issue by implementing proper validation checks and authentication requirements for all payment callback requests. This vulnerability demonstrates the importance of secure coding practices and input validation, particularly when handling financial transactions where the integrity of system state is paramount to business operations. The ATT&CK framework categorizes this as a privilege escalation technique through unauthorized modification of system state, highlighting the need for robust access controls and proper authentication mechanisms in payment processing systems.