Home

Description

FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.

PUBLISHED Reserved 2026-03-20 | Published 2026-06-24 | Updated 2026-06-25 | Assigner GitHub_M




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-288: Authentication Bypass Using an Alternate Path or Channel

CWE-306: Missing Authentication for Critical Function

Product status

< 0.8.0
affected

References

github.com/...illing/security/advisories/GHSA-28mh-j262-q49w

github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0

cve.org (CVE-2026-33543)

nvd.nist.gov (CVE-2026-33543)

Download JSON