PatchSiren cyber security CVE debrief
CVE-2026-42341 FOSSBilling CVE debrief
CVE-2026-42341 is an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. Versions 0.6.0 through 0.7.2 are affected when the Custom payment adapter is enabled. An attacker can mark any unpaid invoice as paid and credit the associated client account without making an actual payment by sending a single crafted HTTP request. Version 0.8.0 patches the issue. Some workarounds are available, such as disabling the Custom payment gateway if not actively needed and/or restricting access to `/ipn.php` at the web server level.
- Vendor
- FOSSBilling
- Product
- Unknown
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Users of FOSSBilling versions 0.6.0 through 0.7.2 who have the Custom payment adapter enabled should be aware of this vulnerability and take necessary actions to protect their systems. Operators, administrators, and security teams managing FOSSBilling deployments need to assess potential exposure and implement mitigations.
Technical summary
The vulnerability exists in the IPN callback endpoint of FOSSBilling. When the Custom payment adapter is enabled, an attacker can exploit this vulnerability by sending a crafted HTTP request to mark any unpaid invoice as paid and credit the associated client account without making an actual payment. Affected versions are 0.6.0 through 0.7.2, and version 0.8.0 patches the issue. The Custom payment adapter must be enabled for exploitation.
Defensive priority
High
Recommended defensive actions
- Disable the Custom payment gateway if not actively needed
- Restrict access to `/ipn.php` at the web server level
- Upgrade to version 0.8.0 or later
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-06T21:16:55.740Z and was last modified on 2026-07-07T16:16:39.413Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD details. Defenders should verify affected product scope, vendor guidance, and potential exposure with limited source information.
Official resources
-
CVE-2026-42341 CVE record
CVE.org
-
CVE-2026-42341 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:55.740Z and has not been modified since then. The NVD entry is currently Deferred.