Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-53644— FOSSBilling's missing order-state validation allows clients to read and reset API key secrets for non-active orders

AI Predicted 6.5 Difficulty: Trivial EPSS 0.25% · P16

Affected Version Matrix 1

VendorProductVersion RangeStatus
FOSSBillingFOSSBilling>= 0.5.3, < 0.8.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53644

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
FOSSBilling's missing order-state validation allows clients to read and reset API key secrets for non-active orders
Source: NVD (National Vulnerability Database)
Vulnerability Description
FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an `active` state (e.g., `suspended`, `canceled`). The root cause is missing order-state validation in two client API endpoints, despite an `isActive()` helper already existing in the `Serviceapikey` module and the frontend UI correctly gating access on `order.status == 'active'`. Version 0.8.0 contains a fix. Some workarounds are available. If the `Serviceapikey` module is not needed, uninstall it to remove the affected endpoints. One may also use a reverse proxy or WAF to restrict access to `/api/client/order/service` and `/api/client/serviceapikey/reset` based on application-level order-state logic.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
FOSSBillingFOSSBilling >= 0.5.3, < 0.8.0 -

II. Public POCs for CVE-2026-53644

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53644

登录查看更多情报信息。

Vendor Advisories for CVE-2026-53644 (1)

Same Patch Batch · FOSSBilling · 2026-07-06 · 17 CVEs total

CVE-2026-42341FOSSBilling has an unauthenticated payment bypass via IPN callback forgery
CVE-2026-42331FOSSBilling missing authorization in guest Invoice API endpoints
CVE-2026-33734FOSSBilling has improper SQL neutralization in `Massmailer` recipient filters
CVE-2026-43921FOSSBilling vulnerable to arbitrary PHP code injection via unescaped config serialization
CVE-2026-43918Suspended or inactive FOSSBilling accounts can retain or regain access through existing se
CVE-2026-43927FOSSBilling has race condition in cart checkout that bypasses promo code usage limits
CVE-2026-43925FOSSBilling: Mass assignment of group_id in guest client registration allows unauthorized
CVE-2026-43928FOSSBilling: Payment amount not validated in PayPalEmail adapter allows invoice underpayme
CVE-2026-53640FOSSBilling missing authorization checks on read-only admin API endpoints expose sensitive
CVE-2026-53641FOSSBilling has stored XSS in client email views via unescaped content in JavaScript templ
CVE-2026-53645FOSSBilling's missing self-edit prevention in staff permission management allows persisten
CVE-2026-53646FOSSBilling: Client password reset token reuse allows persistent account takeover
CVE-2026-53643FOSSBilling allows low-privileged staff accounts to perform unauthorized actions via admin
CVE-2026-53642FOSSBilling: Unverified clients can access client-area pages when email confirmation is re
CVE-2026-53647FOSSBilling vulnerable to unauthenticated API key configuration disclosure via guest Servi
CVE-2026-53648FOSSBilling: Downloadable product files can be overwritten through filename collisions

IV. Related Vulnerabilities

V. Comments for CVE-2026-53644

No comments yet


Leave a comment