PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53645 FOSSBilling CVE debrief

CVE-2026-53645 is a high-severity vulnerability in FOSSBilling versions prior to 0.8.0. The issue allows a low-privileged staff account to grant arbitrary module permissions to itself through the admin API, resulting in persistent privilege escalation. A staff user with only `staff.create_and_edit_staff` permission can call `/api/admin/staff/permissions_update` targeting their own account and write any permission structure, bypassing the intended role-based access control boundary. Version 0.8.0 patches the issue. Some workarounds are available, such as restricting the `staff.create_and_edit_staff` permission to only highly trusted staff members and/or using a reverse proxy or WAF to restrict access to `/api/admin/staff/permissions_update` to specific trusted roles.

Vendor
FOSSBilling
Product
Unknown
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

System administrators and security teams responsible for FOSSBilling installations, especially those with low-privileged staff accounts, should be aware of this vulnerability and take immediate action to patch or mitigate it.

Technical summary

The vulnerability exists in FOSSBilling versions prior to 0.8.0, where a low-privileged staff account can escalate privileges through the admin API. The issue arises from inadequate role-based access control in the `/api/admin/staff/permissions_update` endpoint, allowing a staff user with `staff.create_and_edit_staff` permission to modify their own permissions and bypass intended access controls. This can be mitigated by restricting the `staff.create_and_edit_staff` permission to highly trusted staff members, using a reverse proxy or WAF to limit access to `/api/admin/staff/permissions_update`, and monitoring for suspicious activity related to staff account privilege escalation.

Defensive priority

High

Recommended defensive actions

  • Apply the patch by upgrading to FOSSBilling version 0.8.0 or later
  • Restrict the `staff.create_and_edit_staff` permission to only highly trusted staff members
  • Use a reverse proxy or WAF to restrict access to `/api/admin/staff/permissions_update` to specific trusted roles
  • Monitor for suspicious activity related to staff account privilege escalation
  • Perform regular inventory checks to ensure all FOSSBilling installations are up-to-date

Evidence notes

The CVE record was published on 2026-07-06T23:16:56.493Z and was last modified on 2026-07-07T14:16:32.857Z. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 8.5 and is classified as HIGH severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T23:16:56.493Z and has not been modified since then. The NVD entry is currently Deferred.