CVE-2026-42341

Summary

FOSSBilling is a free, open-source billing and client management system. Versions 0.6.0 through 0.7.2 have an unauthenticated payment bypass vulnerability in FOSSBilling's IPN callback endpoint. When the Custom payment adapter is enabled, an attacker can mark any unpaid invoice as paid and credit the associated client account without making an actual payment, by sending a single crafted HTTP request. Version 0.8.0 patches the issue. Some workarounds are available. Disable the Custom payment gateway if not actively needed and/or restrict access to /ipn.php at the web server level (e.g., via IP allowlisting), noting that this may interfere with legitimate payment callback processing.

Affected Software

VendorProductVersion RangeStatus
FOSSBillingFOSSBilling>= 0.6.0, < 0.8.0affected

Weaknesses

  • CWE-306: CWE-306: Missing Authentication for Critical Function
  • CWE-346: CWE-346: Origin Validation Error

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References