CVE-2026-53645 in FOSSBilling
Summary
by MITRE • 07/07/2026
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow a low-privileged staff account to grant arbitrary module permissions to itself through the admin API, resulting in persistent privilege escalation. A staff user that only has `staff.create_and_edit_staff` can call `/api/admin/staff/permissions_update` targeting their own account and write any permission structure, bypassing the intended role-based access control boundary. Version 0.8.0 patches the issue. Some workarounds are available. Restrict the `staff.create_and_edit_staff` permission to only highly trusted staff members and/or use a reverse proxy or WAF to restrict access to `/api/admin/staff/permissions_update` to specific trusted roles.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/07/2026
The FOSSBilling vulnerability represents a critical privilege escalation flaw that undermines the system's core access control mechanisms. This issue affects versions prior to 080 and demonstrates a fundamental breakdown in role-based access control implementation. The vulnerability allows low-privileged staff members who possess only the seemingly innocuous permission `staff.create_and_edit_staff` to escalate their privileges indefinitely by manipulating module permissions for their own account through the administrative API endpoints.
The technical exploitation of this vulnerability occurs through the `/api/admin/staff/permissions_update` endpoint which lacks proper authorization checks for the target user account. A malicious staff member with minimal privileges can craft API requests that update their own permission structure to include any arbitrary module permissions, effectively bypassing the intended security boundaries. This flaw stems from insufficient input validation and access control enforcement within the administrative API framework, creating a persistent backdoor for privilege escalation attacks.
The operational impact of this vulnerability extends beyond immediate privilege abuse, as it provides attackers with sustained access to sensitive system functions and data. Once exploited, the compromised account can perform actions typically restricted to higher-privileged administrators, potentially leading to complete system compromise including user data manipulation, system configuration changes, and unauthorized module access. The vulnerability affects the integrity and confidentiality of the entire billing and client management system.
From a cybersecurity perspective, this vulnerability aligns with CWE-285 (Improper Authorization) and represents a classic case of insufficient access control validation. The ATT&CK framework categorizes this as privilege escalation through API manipulation, specifically leveraging weak API endpoint authorization controls. The issue demonstrates poor security design principles where the system assumes that users with specific permissions cannot abuse those permissions to gain additional privileges through API manipulation.
The remediation approach for this vulnerability includes both immediate and long-term solutions. Version 080 addresses the core issue through proper access control enforcement, but organizations should implement additional defensive measures including strict permission management where `staff.create_and_edit_staff` is restricted to only highly trusted personnel. Network-level protections such as reverse proxies or web application firewalls can provide additional layers of defense by restricting direct access to sensitive API endpoints based on trusted roles and IP addresses.
Organizations should conduct comprehensive security audits of their FOSSBilling installations to identify any potential exploitation attempts and ensure proper permission assignments. The vulnerability serves as a reminder of the importance of principle of least privilege implementation and the necessity of robust API security controls in open-source systems that handle sensitive financial and client data. Regular security updates and monitoring for unauthorized permission changes remain critical defensive measures against similar vulnerabilities in the future.