CVE-2026-43918 in FOSSBilling
Summary
by MITRE • 07/07/2026
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php (loggedin_client and loggedin_admin) only reject sessions if the backing account record no longer exists in the database. They do not verify that the account's status is still active. This allows a suspended or deactivated user to retain full access until their session naturally expires. This issue has been fixed in version 0.8.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/07/2026
This vulnerability represents a critical session management flaw in FOSSBilling that directly violates fundamental security principles of access control and authentication. The issue stems from improper session validation logic where the system fails to enforce account status checks during session verification processes. When users are suspended or marked inactive by administrators, their authenticated sessions remain valid until natural expiration, creating a persistent security risk that allows unauthorized access to system resources. The vulnerability is particularly concerning because it undermines the principle of least privilege and enables attackers to maintain access even after legitimate account deactivation.
The technical implementation flaw resides in the session identity loaders located within src/di.php at lines corresponding to loggedin_client and loggedin_admin functions. These components only perform existence checks against database records without incorporating active status verification during authentication validation. This design pattern creates a window of opportunity where suspended accounts can continue operating with full privileges, as the system does not actively invalidate sessions based on account state changes. The vulnerability aligns with CWE-613, which addresses insufficient session expiration mechanisms, and represents a failure to implement proper session lifecycle management that should include status validation during authentication checks.
The operational impact of this vulnerability extends beyond simple unauthorized access, potentially enabling persistent threats where compromised or suspended accounts can continue to perform administrative functions until their sessions expire naturally. This creates a significant risk for system integrity as suspended users retain the ability to modify client data, access sensitive billing information, and potentially escalate privileges through continued session usage. Attackers could exploit this weakness by gaining initial access through legitimate means, then waiting for account suspension or deactivation without losing access to the system, effectively bypassing intended security controls.
Mitigation strategies should focus on implementing robust session invalidation mechanisms that actively check account status during authentication validation rather than relying solely on database record existence. The fix implemented in version 0.8.0 likely incorporates account status verification within the session loaders to ensure that any attempt to use a suspended or inactive account immediately results in session rejection. Organizations should also implement additional security controls such as immediate session invalidation upon account status changes, regular session audits, and monitoring for suspicious activity patterns. This vulnerability demonstrates the importance of following ATT&CK framework principles for credential access and privilege escalation, where proper session management is crucial for maintaining system security boundaries and preventing unauthorized persistence within legitimate user sessions.