PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42331 FOSSBilling CVE debrief

CVE-2026-42331 is a high-severity vulnerability in FOSSBilling, a free, open-source billing and client management system. The vulnerability exists in the Guest API invoice/update endpoint, which lacks an authorization check present in other invoice-related endpoints. This omission allows an unauthenticated user with knowledge of an invoice hash to modify the payment gateway associated with an unpaid invoice.

Vendor
FOSSBilling
Product
Unknown
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Administrators and users of FOSSBilling, especially those with unpaid invoices, should be aware of this vulnerability. The ability to change the payment gateway on an unpaid invoice could lead to unauthorized modifications, although the practical impact is limited by the need for the gateway to be pre-configured and the 'invoice_accessible_from_hash' system setting.

Technical summary

The vulnerability in FOSSBilling's Guest API invoice/update endpoint allows an unauthenticated user to change the payment gateway for an unpaid invoice if they know the invoice hash. This is possible because the endpoint lacks an authorization check. However, the attacker cannot redirect payments to an arbitrary external endpoint; the gateway must be installed and configured by an administrator. The issue is patched in version 0.8.0.

Defensive priority

High priority should be given to updating FOSSBilling to version 0.8.0 or later. In the meantime, review and restrict access to invoice hashes, and closely monitor for any unauthorized changes to payment gateways.

Recommended defensive actions

  • Update FOSSBilling to version 0.8.0 or later.
  • Review and restrict access to invoice hashes.
  • Closely monitor for any unauthorized changes to payment gateways.
  • Consider implementing additional compensating controls to detect and prevent exploitation attempts.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. The source item URL and reference to the GitHub security advisory offer additional context. However, due to limited source detail, defenders should verify the affected scope and severity based on available information and consider potential evidence limits. Review of the official advisory or CVE record is recommended to validate affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:55.617Z and has not been modified since then.