HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-27604Published Modified CNA GitHub_M

CVE-2026-27604: FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions

FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident.

Metrics

CVSS v4.0
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authorization bypass vulnerability in FOSSBilling allows unauthenticated remote attackers to call privileged admin API endpoints under the `/api/system/*` path. Because the `system` role incorrectly resolves to the cron admin identity, no credentials, session, or CSRF token are needed to invoke admin-level API methods. Successful exploitation gives an attacker full administrative control over the billing system, including the ability to read, modify, and potentially destroy all managed data. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built FOSSBilling images, in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this finding at CVSS 10.0 (Critical) and is capable of weighting it against each customer environment's compliance policy to determine escalation priority; routing to the appropriate team inbox inside each customer org is supported based on policy configuration.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment FOSSBilling ships a resolved release. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable API endpoints are exposed over the network, so an attacker must be able to reach the FOSSBilling service via HTTP/HTTPS.

  • AuthenticationNot required

    No credentials, session token, or CSRF token are required; the authorization bypass allows unauthenticated callers to invoke admin API methods directly.

  • Victim interactionNot required

    The attacker sends crafted API requests directly to the server; no action from a logged-in user or administrator is needed.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race windows, or knowledge of memory layout.

Blast Radius

  • Reads all billing records, client personal data, stored API tokens, and admin credentials held by the FOSSBilling instance.
  • Modifies or deletes invoices, client accounts, subscription records, and system configuration through unrestricted admin API calls.
  • Crashes or destabilizes the billing service by invoking destructive admin operations without restriction.
  • Compromises downstream systems and integrations by harvesting and reusing rotated admin and client API tokens obtained through the bypass.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version exists for CVE-2026-27604 at this time, HarborGuard continuously re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment FOSSBilling publishes a resolved release. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR opened against affected workloads will follow without manual intervention. While waiting for an upstream patch, HarborGuard's network-policy controls can be used to isolate affected containers and restrict inbound access to the `/api/system/*` path at the ingress or reverse proxy layer. Additional compensating controls recommended by the upstream project include restricting API access to trusted source IPs via the `api.allowed_ips` setting, rotating all admin and client API tokens immediately, invalidating active sessions, resetting high-privilege credentials, and reviewing API request logs for any prior `/api/system/` activity as a potential incident indicator.

See how HarborGuard automates this
Affected packages
  • FOSSBilling / FOSSBilling
    >= 0.5.4, < 0.8.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References