CVE-2026-53642 - FOSSBilling: Unverified clients can access client-area pages when email confirmation is required
CVE ID :CVE-2026-53642
Published : July 6, 2026, 11:16 p.m. | 1 hour, 28 minutes ago
Description :FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when the "Require Email Confirmation" setting is enabled, a logged-in client with an unverified email address (`email_approved = 0`) can access all client-area pages (e.g. `/client/balance`, `/client/order/list`, `/client/invoice`) and read real account data, including wallet balances and transaction history. The API-side enforcement correctly restricts unverified clients to only profile-related endpoints, but the page-side enforcement is overly permissive, allowing any request whose path starts with `/client`. Version 0.8.0 contains a fix. No known workarounds that don't involve modifying the source code are available.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : July 6, 2026, 11:16 p.m. | 1 hour, 28 minutes ago
Description :FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when the "Require Email Confirmation" setting is enabled, a logged-in client with an unverified email address (`email_approved = 0`) can access all client-area pages (e.g. `/client/balance`, `/client/order/list`, `/client/invoice`) and read real account data, including wallet balances and transaction history. The API-side enforcement correctly restricts unverified clients to only profile-related endpoints, but the page-side enforcement is overly permissive, allowing any request whose path starts with `/client`. Version 0.8.0 contains a fix. No known workarounds that don't involve modifying the source code are available.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...