CVE Catalog

CVE-2026-27708

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

FOSSBilling versions 0.7.2 and prior have a vulnerability in the API that allows authenticated clients to access other clients' data by guessing order IDs. The __call method in the API does not verify if the client owns the order, potentially leading to data exposure.

Risk Assessment

The organization may face confidentiality breaches as attackers can access other clients' personal information, leading to serious legal and reputational consequences.

Recommendation

It is recommended to update FOSSBilling to version 0.8.0 to mitigate this vulnerability and implement additional access verification mechanisms for client data.

Original NVD description (English source)

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach — attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS