PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43926 FOSSBilling CVE debrief

CVE-2026-43926 is a MEDIUM severity vulnerability in FOSSBilling, a free, open-source billing and client management system. The vulnerability allows an attacker to bypass the rate limiter and probe the password reset confirmation endpoint for valid reset tokens without any per-IP request limiting, attempt counting, or lockout mechanism. This is possible because the password reset confirmation endpoint `/client/reset-password-confirm/:hash` is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to `/api/*` routes. The endpoint acts as an oracle, returning a distinguishable response for valid versus invalid tokens (HTTP 200 vs HTTP 302 redirect). However, practical exploitability is significantly mitigated by the current token generation, which uses `hash('sha256', random_bytes(32))`, providing 256 bits of entropy. Tokens also expire after 15 minutes and are deleted after successful use. The same architectural gap applies to other controller-served auth routes, including `/staff/email/:hash` (admin password reset confirmation) and `/client/confirm-email/:hash` (email confirmation).

Vendor
FOSSBilling
Product
Unknown
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-04
Advisory published
2026-06-04
Advisory updated
2026-06-04

Who should care

Users of FOSSBilling prior to version 0.8.0 should apply the patch or workarounds to prevent exploitation.

Technical summary

The password reset confirmation endpoint `/client/reset-password-confirm/:hash` in FOSSBilling prior to version 0.8.0 is vulnerable to rate limiter bypass. The endpoint is handled by a non-API controller and is not covered by FOSSBilling's rate limiter. This allows an attacker to submit unlimited token guesses to the password reset confirmation endpoint with no throttling applied.

Defensive priority

MEDIUM

Recommended defensive actions

  • Upgrade to FOSSBilling version 0.8.0 or later.
  • Configure a reverse proxy (e.g., Nginx, Apache, Cloudflare) to apply per-IP rate limiting to the `/client/reset-password-confirm/*` and `/staff/email/*` paths.
  • Use a WAF rule to limit request rates to these endpoints.

Evidence notes

The vulnerability is mitigated by the current token generation, which uses `hash('sha256', random_bytes(32))`, providing 256 bits of entropy. Tokens also expire after 15 minutes and are deleted after successful use.

Official resources

CVE-2026-43926 was published on 2026-06-04T14:16:41.193Z and modified on 2026-06-04T15:41:35.193Z.