PatchSiren cyber security CVE debrief
CVE-2026-42331 FOSSBilling CVE debrief
CVE-2026-42331 is a high-severity vulnerability in FOSSBilling, a free, open-source billing and client management system. The vulnerability exists in the Guest API invoice/update endpoint, which lacks an authorization check present in other invoice-related endpoints. This omission allows an unauthenticated user with knowledge of an invoice hash to modify the payment gateway associated with an unpaid invoice.
- Vendor
- FOSSBilling
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Administrators and users of FOSSBilling, especially those with unpaid invoices, should be aware of this vulnerability. The ability to change the payment gateway on an unpaid invoice could lead to unauthorized modifications, although the practical impact is limited by the need for the gateway to be pre-configured and the 'invoice_accessible_from_hash' system setting.
Technical summary
The vulnerability in FOSSBilling's Guest API invoice/update endpoint allows an unauthenticated user to change the payment gateway for an unpaid invoice if they know the invoice hash. This is possible because the endpoint lacks an authorization check. However, the attacker cannot redirect payments to an arbitrary external endpoint; the gateway must be installed and configured by an administrator. The issue is patched in version 0.8.0.
Defensive priority
High priority should be given to updating FOSSBilling to version 0.8.0 or later. In the meantime, review and restrict access to invoice hashes, and closely monitor for any unauthorized changes to payment gateways.
Recommended defensive actions
- Update FOSSBilling to version 0.8.0 or later.
- Review and restrict access to invoice hashes.
- Closely monitor for any unauthorized changes to payment gateways.
- Consider implementing additional compensating controls to detect and prevent exploitation attempts.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability. The source item URL and reference to the GitHub security advisory offer additional context. However, due to limited source detail, defenders should verify the affected scope and severity based on available information and consider potential evidence limits. Review of the official advisory or CVE record is recommended to validate affected scope, severity, and vendor guidance.
Official resources
-
CVE-2026-42331 CVE record
CVE.org
-
CVE-2026-42331 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:55.617Z and has not been modified since then.