CVE-2026-42341
FOSSBilling · FOSSBilling
FOSSBilling contains an unauthenticated payment bypass vulnerability in the IPN callback endpoint, allowing attackers to mark invoices as paid without actual payment.
Executive summary
An unauthenticated payment bypass vulnerability in FOSSBilling allows attackers to manipulate invoice statuses and credit accounts without completing financial transactions.
Vulnerability
This is a critical authentication bypass and validation error in the IPN callback endpoint. The vulnerability allows an unauthenticated remote attacker to send a crafted HTTP request to mark invoices as paid when the Custom payment adapter is enabled.
Business impact
The CVSS score of 9.2 highlights the severe financial and operational impact of this vulnerability. Attackers can gain services or products without payment, leading to direct financial loss and potential manipulation of client account records, which could undermine the integrity of the billing and customer management system.
Remediation
Immediate Action: Upgrade FOSSBilling to version 0.8.0 or later to implement the necessary authentication checks for payment callbacks.
Proactive Monitoring: Monitor invoice payment logs for anomalies or batches of payments marked as "paid" that lack corresponding transaction records from legitimate payment gateways.
Compensating Controls: Disable the "Custom" payment gateway if it is not strictly required, or restrict access to the /ipn.php endpoint via web server rules to trusted IP addresses only.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability represents a significant financial risk to any organization using FOSSBilling for revenue collection. Immediate application of the 0.8.0 update is required to prevent unauthorized service provisioning and financial fraud.