PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42341 FOSSBilling CVE debrief

CVE-2026-42341 is an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. Versions 0.6.0 through 0.7.2 are affected when the Custom payment adapter is enabled. An attacker can mark any unpaid invoice as paid and credit the associated client account without making an actual payment by sending a single crafted HTTP request. Version 0.8.0 patches the issue. Some workarounds are available, such as disabling the Custom payment gateway if not actively needed and/or restricting access to `/ipn.php` at the web server level.

Vendor
FOSSBilling
Product
Unknown
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Users of FOSSBilling versions 0.6.0 through 0.7.2 who have the Custom payment adapter enabled should be aware of this vulnerability and take necessary actions to protect their systems. Operators, administrators, and security teams managing FOSSBilling deployments need to assess potential exposure and implement mitigations.

Technical summary

The vulnerability exists in the IPN callback endpoint of FOSSBilling. When the Custom payment adapter is enabled, an attacker can exploit this vulnerability by sending a crafted HTTP request to mark any unpaid invoice as paid and credit the associated client account without making an actual payment. Affected versions are 0.6.0 through 0.7.2, and version 0.8.0 patches the issue. The Custom payment adapter must be enabled for exploitation.

Defensive priority

High

Recommended defensive actions

  • Disable the Custom payment gateway if not actively needed
  • Restrict access to `/ipn.php` at the web server level
  • Upgrade to version 0.8.0 or later
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-06T21:16:55.740Z and was last modified on 2026-07-07T16:16:39.413Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD details. Defenders should verify affected product scope, vendor guidance, and potential exposure with limited source information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:55.740Z and has not been modified since then. The NVD entry is currently Deferred.