PatchSiren cyber security CVE debrief
CVE-2026-53645 FOSSBilling CVE debrief
CVE-2026-53645 is a high-severity vulnerability in FOSSBilling versions prior to 0.8.0. The issue allows a low-privileged staff account to grant arbitrary module permissions to itself through the admin API, resulting in persistent privilege escalation. A staff user with only `staff.create_and_edit_staff` permission can call `/api/admin/staff/permissions_update` targeting their own account and write any permission structure, bypassing the intended role-based access control boundary. Version 0.8.0 patches the issue. Some workarounds are available, such as restricting the `staff.create_and_edit_staff` permission to only highly trusted staff members and/or using a reverse proxy or WAF to restrict access to `/api/admin/staff/permissions_update` to specific trusted roles.
- Vendor
- FOSSBilling
- Product
- Unknown
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
System administrators and security teams responsible for FOSSBilling installations, especially those with low-privileged staff accounts, should be aware of this vulnerability and take immediate action to patch or mitigate it.
Technical summary
The vulnerability exists in FOSSBilling versions prior to 0.8.0, where a low-privileged staff account can escalate privileges through the admin API. The issue arises from inadequate role-based access control in the `/api/admin/staff/permissions_update` endpoint, allowing a staff user with `staff.create_and_edit_staff` permission to modify their own permissions and bypass intended access controls. This can be mitigated by restricting the `staff.create_and_edit_staff` permission to highly trusted staff members, using a reverse proxy or WAF to limit access to `/api/admin/staff/permissions_update`, and monitoring for suspicious activity related to staff account privilege escalation.
Defensive priority
High
Recommended defensive actions
- Apply the patch by upgrading to FOSSBilling version 0.8.0 or later
- Restrict the `staff.create_and_edit_staff` permission to only highly trusted staff members
- Use a reverse proxy or WAF to restrict access to `/api/admin/staff/permissions_update` to specific trusted roles
- Monitor for suspicious activity related to staff account privilege escalation
- Perform regular inventory checks to ensure all FOSSBilling installations are up-to-date
Evidence notes
The CVE record was published on 2026-07-06T23:16:56.493Z and was last modified on 2026-07-07T14:16:32.857Z. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 8.5 and is classified as HIGH severity.
Official resources
-
CVE-2026-53645 CVE record
CVE.org
-
CVE-2026-53645 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T23:16:56.493Z and has not been modified since then. The NVD entry is currently Deferred.