{"api_version":"1","generated_at":"2026-06-26T03:59:00+00:00","cve":"CVE-2026-27604","urls":{"html":"https://cve.report/CVE-2026-27604","api":"https://cve.report/api/cve/CVE-2026-27604.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-27604","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-27604"},"summary":{"title":"FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions","description":"FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-23 15:16:33","updated_at":"2026-06-23 16:16:59"},"problem_types":["CWE-200","CWE-306","CWE-862","CWE-863","CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","CWE-306 CWE-306: Missing Authentication for Critical Function","CWE-862 CWE-862: Missing Authorization","CWE-863 CWE-863: Incorrect Authorization"],"metrics":[{"version":"4.0","source":"security-advisories@github.com","type":"Secondary","score":"10","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":10,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"10","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","data":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":10,"baseSeverity":"CRITICAL","privilegesRequired":"NONE","subAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH"}}],"references":[{"url":"https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-78x5-c8gw-8279","name":"https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-78x5-c8gw-8279","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-57mv-jm88-66jc","name":"https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-57mv-jm88-66jc","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.vulncheck.com/blog/fossbilling-auth-bypass-ssti-rce","name":"https://www.vulncheck.com/blog/fossbilling-auth-bypass-ssti-rce","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-27604","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27604","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"FOSSBilling","product":"FOSSBilling","version":"affected >= 0.5.4, < 0.8.0","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"27604","cve":"CVE-2026-27604","epss":"0.004080000","percentile":"0.325160000","score_date":"2026-06-25","updated_at":"2026-06-26 00:06:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-27604","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-23T15:11:05.254896Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-23T15:11:21.675Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"FOSSBilling","vendor":"FOSSBilling","versions":[{"status":"affected","version":">= 0.5.4, < 0.8.0"}]}],"descriptions":[{"lang":"en","value":"FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident."}],"metrics":[{"cvssV4_0":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":10,"baseSeverity":"CRITICAL","privilegesRequired":"NONE","subAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-306","description":"CWE-306: Missing Authentication for Critical Function","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-862","description":"CWE-862: Missing Authorization","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-863","description":"CWE-863: Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-23T14:25:20.334Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-78x5-c8gw-8279","tags":["x_refsource_CONFIRM"],"url":"https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-78x5-c8gw-8279"},{"name":"https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-57mv-jm88-66jc","tags":["x_refsource_MISC"],"url":"https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-57mv-jm88-66jc"},{"name":"https://www.vulncheck.com/blog/fossbilling-auth-bypass-ssti-rce","tags":["x_refsource_MISC"],"url":"https://www.vulncheck.com/blog/fossbilling-auth-bypass-ssti-rce"}],"source":{"advisory":"GHSA-78x5-c8gw-8279","discovery":"UNKNOWN"},"title":"FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-27604","datePublished":"2026-06-23T14:25:20.334Z","dateReserved":"2026-02-20T19:43:14.602Z","dateUpdated":"2026-06-23T15:11:21.675Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-23 15:16:33","lastModifiedDate":"2026-06-23 16:16:59","problem_types":["CWE-200","CWE-306","CWE-862","CWE-863","CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","CWE-306 CWE-306: Missing Authentication for Critical Function","CWE-862 CWE-862: Missing Authorization","CWE-863 CWE-863: Incorrect Authorization"],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":10,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-23T15:11:05.254896Z","id":"CVE-2026-27604","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"27604","Ordinal":"1","Title":"FOSSBilling: Improper API Role Validation (system) Enables Unaut","CVE":"CVE-2026-27604","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"27604","Ordinal":"1","NoteData":"FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident.","Type":"Description","Title":"FOSSBilling: Improper API Role Validation (system) Enables Unaut"}]}}}