CVE-2026-27604
CriticalCVSS 10.0Summary
FOSSBilling versions 0.5.4 to 0.8.0 have an authorization bypass in API role handling, allowing unauthenticated access to privileged `/api/system/*` endpoints. Attackers can invoke admin API methods without valid credentials.
Risk Assessment
This vulnerability poses a serious security risk, allowing attackers to access administrative functions of the system without authorization, potentially leading to significant data breaches.
Recommendation
It is recommended to block external access to `/api/system/*` at the reverse proxy/WAF, restrict API access to trusted IP addresses only, and immediately rotate all admin/client API tokens.
Original NVD description (English source)
FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident.

