PatchSiren cyber security CVE debrief
CVE-2026-53646 FOSSBilling CVE debrief
The FOSSBilling system, a free, open-source billing and client management solution, was found to have a vulnerability in versions 0.5.6 through 0.7.2. This issue pertains to the reuse of tokens for client password reset requests. When a 'ClientPasswordReset' record already exists for a client, subsequent calls to the 'reset_password' guest API endpoint would reuse the existing token instead of generating a new one. The validity of this token is tied to the timestamp of the first request, not the most recent email sent for the reset. This means an attacker who obtained the original reset link could continue to use it even after the victim requested a new reset, as the original token is never invalidated or rotated. The issue was addressed in version 0.8.0 of FOSSBilling. As workarounds, users can configure a reverse proxy to apply per-IP rate limiting to the '/client/reset-password' endpoint or manually clear expired 'client_password_reset' records from the database after a client reports a suspected compromise.
- Vendor
- FOSSBilling
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
System administrators and security professionals managing or using FOSSBilling versions 0.5.6 through 0.7.2 should be aware of this vulnerability. Given the high CVSS score of 7.7, indicating a high severity, immediate attention is advised to upgrade to version 0.8.0 or apply the recommended workarounds to mitigate the risk of unauthorized access to client accounts.
Technical summary
The vulnerability in FOSSBilling allows for the reuse of client password reset tokens under certain conditions. Specifically, if a 'ClientPasswordReset' record exists (from a previous, unexpired reset request), subsequent requests to reset the password will reuse this existing token rather than generating a new one. The 15-minute validity period of the token is determined by the 'created_at' timestamp of the first request, not the most recent attempt. This behavior enables an attacker who has obtained the original reset link to continue using it, even after the client has requested a new password reset. The issue arises from the lack of token invalidation or rotation in such scenarios.
Defensive priority
High priority should be given to applying the patch in version 0.8.0 or implementing the suggested workarounds. Given the high severity and the potential for exploitation, immediate action is necessary to protect against unauthorized access.
Recommended defensive actions
- Upgrade FOSSBilling to version 0.8.0 or later
- Configure a reverse proxy for per-IP rate limiting on the '/client/reset-password' endpoint
- Manually clear expired 'client_password_reset' records from the database as needed
- Review system configurations for potential exposure
- Monitor for suspicious activity related to password reset requests
- Perform a thorough review of system logs for signs of exploitation
- Track and document remediation efforts for future reference
Evidence notes
The CVE record and NVD details provide information on the vulnerability's existence and its patched version. The GitHub security advisory offers additional context on the issue and the fix. Evidence is limited to public statements from CVE.org, NVD, and a GitHub advisory. Defenders should verify system configurations, review logs for suspicious activity, and ensure version 0.8.0 or later is deployed. Additional verification tasks may be needed as more information becomes available.
Official resources
-
CVE-2026-53646 CVE record
CVE.org
-
CVE-2026-53646 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T23:16:56.683Z and has not been modified since then. The NVD entry is currently Deferred.