CVE-2026-42341

FOSSBilling · FOSSBilling

FOSSBilling contains an unauthenticated payment bypass vulnerability in the IPN callback endpoint, allowing attackers to mark invoices as paid without actual payment.

Executive summary

An unauthenticated payment bypass vulnerability in FOSSBilling allows attackers to manipulate invoice statuses and credit accounts without completing financial transactions.

Vulnerability

This is a critical authentication bypass and validation error in the IPN callback endpoint. The vulnerability allows an unauthenticated remote attacker to send a crafted HTTP request to mark invoices as paid when the Custom payment adapter is enabled.

Business impact

The CVSS score of 9.2 highlights the severe financial and operational impact of this vulnerability. Attackers can gain services or products without payment, leading to direct financial loss and potential manipulation of client account records, which could undermine the integrity of the billing and customer management system.

Remediation

Immediate Action: Upgrade FOSSBilling to version 0.8.0 or later to implement the necessary authentication checks for payment callbacks.

Proactive Monitoring: Monitor invoice payment logs for anomalies or batches of payments marked as "paid" that lack corresponding transaction records from legitimate payment gateways.

Compensating Controls: Disable the "Custom" payment gateway if it is not strictly required, or restrict access to the /ipn.php endpoint via web server rules to trusted IP addresses only.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability represents a significant financial risk to any organization using FOSSBilling for revenue collection. Immediate application of the 0.8.0 update is required to prevent unauthorized service provisioning and financial fraud.