{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-27604/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-23T15:11:21.675Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-27604","@id":"https://www.cve.org/CVERecord?id=CVE-2026-27604","description":"FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at "},"products":[{"@id":"cpe:2.3:a:fossbilling:fossbilling:\\>\\=_0.5.4\\,_\\<_0.8.0:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:fossbilling:fossbilling:\\>\\=_0.5.4\\,_\\<_0.8.0:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-23T15:11:21.675Z"}]}