CVE-2026-27604 FOSSBilling CVE debrief

Who should care

Administrators and users of FOSSBilling versions prior to 0.8.0 should be aware of this critical vulnerability. Immediate action is necessary to prevent exploitation. Users should update to version 0.8.0 or apply workarounds to mitigate the risk.

Technical summary

The vulnerability is caused by an authorization bypass in the API role handling of FOSSBilling. This allows unauthenticated access to privileged `/api/system/*` endpoints, which resolve to the cron admin identity. Attackers can exploit this vulnerability to invoke admin API methods without valid credentials, session, or CSRF token. The CVSS score for this vulnerability is 10, indicating a critical severity.

Defensive priority

High priority should be given to updating FOSSBilling to version 0.8.0 or applying workarounds to mitigate the risk of exploitation.

Recommended defensive actions

• Update FOSSBilling to version 0.8.0
• Block external access to `/api/system/*` at reverse proxy/WAF
• Restrict API access by trusted source IPs only
• Rotate all admin/client API tokens immediately
• Invalidate active sessions and reset high-privilege credentials

Evidence notes

The vulnerability was reported by an unknown source and is tracked by CVE-2026-27604. The CVSS score for this vulnerability is 10, indicating a critical severity. The vulnerability affects FOSSBilling versions prior to 0.8.0.

Official resources