PT-2026-56039 · Fossbilling · Fossbilling

7Megaumka7

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-53646

CVSS v4.0

7.7

High

VectorAV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a ClientPasswordReset record already exists for a client (from a previous unexpired reset request), subsequent calls to the reset password guest API endpoint reuse the existing token instead of generating a new one. The 15-minute validity window is anchored to the first request's created at timestamp, not the time of the most recent email. An attacker who obtained the original reset link remains able to use it even after the victim requests a new reset, because the original token is never invalidated or rotated. Version 0.8.0 patches the issue. Some workarounds are available. Configure a reverse proxy (e.g., Nginx, Apache, Cloudflare) to apply per-IP rate limiting to the /client/reset-password endpoint to minimize the window of opportunity, and/or manually clear expired client password reset records from the database after a client reports a suspected compromise.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53646

Affected Products

Fossbilling