PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53646 FOSSBilling CVE debrief

The FOSSBilling system, a free, open-source billing and client management solution, was found to have a vulnerability in versions 0.5.6 through 0.7.2. This issue pertains to the reuse of tokens for client password reset requests. When a 'ClientPasswordReset' record already exists for a client, subsequent calls to the 'reset_password' guest API endpoint would reuse the existing token instead of generating a new one. The validity of this token is tied to the timestamp of the first request, not the most recent email sent for the reset. This means an attacker who obtained the original reset link could continue to use it even after the victim requested a new reset, as the original token is never invalidated or rotated. The issue was addressed in version 0.8.0 of FOSSBilling. As workarounds, users can configure a reverse proxy to apply per-IP rate limiting to the '/client/reset-password' endpoint or manually clear expired 'client_password_reset' records from the database after a client reports a suspected compromise.

Vendor
FOSSBilling
Product
Unknown
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

System administrators and security professionals managing or using FOSSBilling versions 0.5.6 through 0.7.2 should be aware of this vulnerability. Given the high CVSS score of 7.7, indicating a high severity, immediate attention is advised to upgrade to version 0.8.0 or apply the recommended workarounds to mitigate the risk of unauthorized access to client accounts.

Technical summary

The vulnerability in FOSSBilling allows for the reuse of client password reset tokens under certain conditions. Specifically, if a 'ClientPasswordReset' record exists (from a previous, unexpired reset request), subsequent requests to reset the password will reuse this existing token rather than generating a new one. The 15-minute validity period of the token is determined by the 'created_at' timestamp of the first request, not the most recent attempt. This behavior enables an attacker who has obtained the original reset link to continue using it, even after the client has requested a new password reset. The issue arises from the lack of token invalidation or rotation in such scenarios.

Defensive priority

High priority should be given to applying the patch in version 0.8.0 or implementing the suggested workarounds. Given the high severity and the potential for exploitation, immediate action is necessary to protect against unauthorized access.

Recommended defensive actions

  • Upgrade FOSSBilling to version 0.8.0 or later
  • Configure a reverse proxy for per-IP rate limiting on the '/client/reset-password' endpoint
  • Manually clear expired 'client_password_reset' records from the database as needed
  • Review system configurations for potential exposure
  • Monitor for suspicious activity related to password reset requests
  • Perform a thorough review of system logs for signs of exploitation
  • Track and document remediation efforts for future reference

Evidence notes

The CVE record and NVD details provide information on the vulnerability's existence and its patched version. The GitHub security advisory offers additional context on the issue and the fix. Evidence is limited to public statements from CVE.org, NVD, and a GitHub advisory. Defenders should verify system configurations, review logs for suspicious activity, and ensure version 0.8.0 or later is deployed. Additional verification tasks may be needed as more information becomes available.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T23:16:56.683Z and has not been modified since then. The NVD entry is currently Deferred.