PT-2026-56039 · Fossbilling · Fossbilling
7Megaumka7
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-53646
CVSS v4.0
7.7
High
| Vector | AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a
ClientPasswordReset record already exists for a client (from a previous unexpired reset request), subsequent calls to the reset password guest API endpoint reuse the existing token instead of generating a new one. The 15-minute validity window is anchored to the first request's created at timestamp, not the time of the most recent email. An attacker who obtained the original reset link remains able to use it even after the victim requests a new reset, because the original token is never invalidated or rotated. Version 0.8.0 patches the issue. Some workarounds are available. Configure a reverse proxy (e.g., Nginx, Apache, Cloudflare) to apply per-IP rate limiting to the /client/reset-password endpoint to minimize the window of opportunity, and/or manually clear expired client password reset records from the database after a client reports a suspected compromise.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fossbilling