FOSSBilling: IDOR in Servicecustom Client API allows cross-client data access

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach — attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0.

Basic Information

ID CVE-2026-27708

Source GitHub_M

Published Jun 24, 2026 at 19:24

Affected Product

Vendor FOSSBilling

Product FOSSBilling

Version < 0.8.0

Affected Versions FOSSBilling FOSSBilling < 0.8.0

CWE Classification

CWE-284 CWE-639 CWE-862

References

{
    "lastseen": "",
    "description": "FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach \u2014 attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0.",
    "published": "2026-06-24T19:24:50.417Z",
    "modified": "2026-06-24T19:24:50.417Z",
    "type": "cve",
    "title": "FOSSBilling: IDOR in Servicecustom Client API allows cross-client data access",
    "source": "GitHub_M",
    "references": "https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-p36w-9x66-488j\nhttps://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0",
    "id": "CVE-2026-27708",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284",
        "CWE-639",
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "FOSSBilling FOSSBilling < 0.8.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FOSSBilling",
    "version": "< 0.8.0",
    "vendor": "FOSSBilling",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

FOSSBilling: IDOR in Servicecustom Client API allows cross-client data access_CVE-2026-27708