CVE-2026-23513
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
In FOSSBilling versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. The issue stemmed from improper grouping of filters in queries, allowing OR clauses to be evaluated independently of the enforced client_id constraint.
Risk Assessment
The organization is at risk of leaking sensitive client data, such as identifiers, amounts, statuses, and timestamps, which could lead to privacy breaches and regulatory non-compliance.
Recommendation
Immediately update FOSSBilling to version 0.8.0 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In ServiceTransaction::getSearchQuery() and Order\Service::getSearchQuery(), OR-based search/action filters were appended without grouping, allowing SQL operator precedence to evaluate OR clauses independently of the enforced client_id constraint. Crafted requests could therefore return records and metadata belonging to other clients, including identifiers, amounts, status, timestamps, and related fields. This issue was fixed in version 0.8.0.

