CVE-2026-53647 in FOSSBillinginfo

Summary

by MITRE • 07/07/2026

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest `serviceapikey/get_info` API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters (`custom_*` fields) stored in the key's database record. These custom fields are populated by billing administrators and can contain business-sensitive data such as pricing tiers, feature flags, rate limits, expiry overrides, or access scope data. Version 0.8.0 patches the issue. Some workarounds are available. Administrators can avoid storing sensitive data in `custom_*` API key configuration fields, monitor API logs for suspicious calls to `/api/guest/serviceapikey/get_info`, and/or disable the Serviceapikey module if not in active use.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The FOSSBilling vulnerability represents a critical authentication bypass flaw that undermines the security posture of this open-source billing management system. This issue affects versions 0.5.3 through 0.7.2 where the guest serviceapikey/get_info API endpoint lacks proper access controls, allowing unauthorized users to retrieve sensitive configuration data from API key records. The vulnerability stems from inadequate input validation and access control mechanisms within the application's API framework, creating an attack surface that exposes business-critical information stored in custom fields associated with API keys.

The technical implementation of this flaw involves the serviceapikey module failing to verify caller authentication status before processing requests to the get_info endpoint. This design oversight enables any individual possessing a valid API key to enumerate and extract all custom_* configuration parameters from the database record associated with that key. These custom fields typically contain sensitive business data including pricing tiers, feature flags, rate limits, expiry overrides, and access scope information that could be exploited by malicious actors to gain unauthorized insights into system operations and potentially identify additional attack vectors.

The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to gather comprehensive intelligence about the billing system's configuration and business logic. The exposure of pricing tiers and feature flags can provide competitive advantages to adversaries, while access scope data and rate limit configurations may reveal system limitations that could be exploited in subsequent attacks. This vulnerability aligns with CWE-284 Access Control Issues, specifically manifesting as improper access control where the application fails to properly verify authorization before allowing access to sensitive resources. The attack pattern follows ATT&CK technique T1566 Credential Access through API key enumeration and information gathering.

The mitigation strategies for this vulnerability encompass multiple defensive layers that administrators should implement immediately. The most effective solution involves upgrading to FOSSBilling version 0.8.0 which contains the necessary patch addressing the authentication bypass. Additionally, administrators can employ defensive measures such as removing sensitive data from custom_* fields within API key configurations, implementing comprehensive monitoring of API logs for anomalous calls to the affected endpoint, and disabling the Serviceapikey module entirely if not actively required for operations. These remediation approaches align with security best practices outlined in NIST SP 800-53 and ISO/IEC 27001 frameworks, particularly focusing on access control and information classification controls that protect sensitive business data from unauthorized disclosure.

Responsible

GitHub M

Reservation

06/09/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!