CVE-2026-53646

Summary

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a ClientPasswordReset record already exists for a client (from a previous unexpired reset request), subsequent calls to the reset_password guest API endpoint reuse the existing token instead of generating a new one. The 15-minute validity window is anchored to the first request's created_at timestamp, not the time of the most recent email. An attacker who obtained the original reset link remains able to use it even after the victim requests a new reset, because the original token is never invalidated or rotated. Version 0.8.0 patches the issue. Some workarounds are available. Configure a reverse proxy (e.g., Nginx, Apache, Cloudflare) to apply per-IP rate limiting to the /client/reset-password endpoint to minimize the window of opportunity, and/or manually clear expired client_password_reset records from the database after a client reports a suspected compromise.

Affected Software

VendorProductVersion RangeStatus
FOSSBillingFOSSBilling>= 0.5.6, < 0.8.0affected

Weaknesses

  • CWE-640: CWE-640: Weak Password Recovery Mechanism for Forgotten Password

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References