FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can gate promo code eligibility, an attacker may apply group-restricted discount codes and receive unauthorized discounts. Version 0.8.0 contains a patch. As a workaround, administrators can either remove group restrictions from promo codes or disable client self-registration (Settings → Clients → Disable signup).
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 07 Jul 2026 02:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Fossbilling
Fossbilling fossbilling |
|
| Vendors & Products |
Fossbilling
Fossbilling fossbilling |
Mon, 06 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can gate promo code eligibility, an attacker may apply group-restricted discount codes and receive unauthorized discounts. Version 0.8.0 contains a patch. As a workaround, administrators can either remove group restrictions from promo codes or disable client self-registration (Settings → Clients → Disable signup). | |
| Title | FOSSBilling: Mass assignment of group_id in guest client registration allows unauthorized promo code use | |
| Weaknesses | CWE-915 | |
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-06T21:41:00.174Z
Reserved: 2026-05-04T16:59:09.089Z
Link: CVE-2026-43925
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-07T01:45:15Z
Weaknesses