HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-33543Published Modified CNA GitHub_M

CVE-2026-33543: FOSSBilling: Authentication bypass allows unauthenticated administrator creation

FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authentication bypass in FOSSBilling (versions 0.7.2 and prior) allows any unauthenticated remote attacker to create a new administrator account through a guest API endpoint that was intended only for initial setup. A flawed guard check using is_countable() on a non-countable return type causes the admin-existence protection to always evaluate as true, leaving the /api/guest/staff/create endpoint permanently open. Successful exploitation gives the attacker a fully privileged admin session, enabling complete control over the billing and client management system. No fix version has been published upstream; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-33543 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle FOSSBilling, in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at 9.3 CRITICAL using the CVSS v4.0 vector and can weight that score against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version exists yet, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment FOSSBilling publishes a corrective release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is served over HTTP/HTTPS, so the attacker must be able to reach the FOSSBilling service across a network.

  • AuthenticationNot required

    The endpoint is a guest API route; no account, token, or credential of any kind is required to invoke it.

  • Victim interactionNot required

    The attacker calls the endpoint directly; no action from an existing user or administrator is needed.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the flawed is_countable() check always evaluates as true regardless of system state, so no race condition or special environment configuration is required.

Blast Radius

  • The attacker creates a net-new administrator account with full privileges, bypassing every access control in the application.
  • With an admin session, the attacker reads all stored customer records, invoices, payment details, and credentials managed by FOSSBilling.
  • The attacker modifies or deletes billing records, client accounts, pricing configurations, and any data persisted by the system.
  • The attacker can disrupt service availability by altering system settings or removing critical configuration, effectively taking the instance offline.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical authentication bypass is active across all customer environments, matching any image that includes an affected FOSSBilling version (< 0.8.0) against the published advisory within minutes of ingestion. Because no upstream patch exists yet, the recommended immediate compensating controls are to isolate the FOSSBilling service behind a network policy that restricts inbound access to trusted sources only, apply egress filtering to limit lateral movement from a compromised instance, and if the feature can be disabled via configuration, gate the /api/guest/staff/create endpoint at the reverse-proxy or WAF layer. HarborGuard re-checks the upstream advisory on every ingest cycle; when FOSSBilling publishes a fix, a patched-image rebuild will become available automatically. For customers with auto-remediation enabled, that rebuild will be followed by a regression run and a PR opened against affected workloads, with no manual steps required.

See how HarborGuard automates this
Affected packages
  • FOSSBilling / FOSSBilling
    < 0.8.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References