CVE-2026-53642 in FOSSBillinginfo

Summary

by MITRE • 07/07/2026

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when the "Require Email Confirmation" setting is enabled, a logged-in client with an unverified email address (`email_approved = 0`) can access all client-area pages (e.g. `/client/balance`, `/client/order/list`, `/client/invoice`) and read real account data, including wallet balances and transaction history. The API-side enforcement correctly restricts unverified clients to only profile-related endpoints, but the page-side enforcement is overly permissive, allowing any request whose path starts with `/client`. Version 0.8.0 contains a fix. No known workarounds that don't involve modifying the source code are available.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/07/2026

This vulnerability exists within FOSSBilling's client access control implementation where a logical inconsistency allows unauthorized data exposure despite security measures intended to restrict unverified users. The system maintains a database field email_approved set to 0 for clients who have not confirmed their email addresses, yet the front-end authorization logic fails to properly enforce this restriction across all client-facing pages. When the "Require Email Confirmation" setting is enabled, the application should prevent unverified users from accessing sensitive account information including financial data and transaction histories.

The technical flaw manifests in the page-side enforcement mechanism which implements a simplistic path-based access control rather than proper authentication state verification. The system employs a wildcard matching approach that permits access to any URL path beginning with /client without validating whether the requesting user has completed email verification. This represents a classic authorization bypass vulnerability where the security check is based on URL patterns rather than user authentication status, creating an access control weakness that allows privilege escalation from unverified to verified user permissions. The API-side implementation correctly enforces restrictions by limiting unverified clients to profile-related endpoints only, demonstrating that the developers understood proper access control principles but failed to apply them consistently across all application interfaces.

The operational impact of this vulnerability is significant as it exposes sensitive financial and personal data of users who have not completed email verification. An attacker could exploit this flaw to gain access to wallet balances, transaction histories, order lists, and invoice information from other users' accounts. This creates a substantial risk of financial fraud, identity theft, and privacy violations since the system's primary purpose is managing billing and client relationships where such data is highly valuable. The vulnerability affects all versions between 0.5.6 and 0.7.2 inclusive, representing a prolonged window during which users were exposed to potential data breaches.

The fix implemented in version 0.8.0 addresses this by correcting the front-end access control logic to properly validate email verification status before granting access to client-area pages. This aligns with the principle of least privilege and proper authentication enforcement, ensuring that only verified users can access sensitive account information. Organizations using affected versions should immediately upgrade to version 0.8.0 or later, as no practical workarounds exist without modifying the source code. The vulnerability classification aligns with CWE-285 (Improper Authorization) and falls under ATT&CK technique T1078 (Valid Accounts) as it exploits legitimate user accounts to access unauthorized resources. This represents a critical security gap that demonstrates the importance of consistent authorization enforcement across all application interfaces, particularly in systems handling financial data where user verification is crucial for maintaining security boundaries.

Responsible

GitHub M

Reservation

06/09/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!