Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42341

CVE-2026-42341: FOSSBilling Payment Bypass Vulnerability

CVE-2026-42341 is an authentication bypass flaw in FOSSBilling that allows attackers to mark invoices as paid without actual payment. This article covers the technical details, affected versions 0.6.0-0.7.2, and mitigation.

Published:

CVE-2026-42341 Overview

CVE-2026-42341 is an unauthenticated payment bypass vulnerability in FOSSBilling, an open-source billing and client management platform. The flaw resides in the Instant Payment Notification (IPN) callback endpoint /ipn.php when the Custom payment adapter is enabled. An unauthenticated attacker can send a single crafted HTTP request to mark any unpaid invoice as paid and credit the associated client account. No actual funds are transferred, resulting in direct financial loss to the platform operator. FOSSBilling versions 0.6.0 through 0.7.2 are affected, and version 0.8.0 patches the issue. The weakness is classified under [CWE-306] Missing Authentication for Critical Function.

Critical Impact

Any unauthenticated attacker on the network can bypass payment processing entirely, marking invoices as paid and issuing account credits without transferring funds.

Affected Products

  • FOSSBilling 0.6.0 through 0.7.2 with the Custom payment adapter enabled
  • The /ipn.php IPN callback endpoint
  • Client account balances and invoice states managed by affected installations

Discovery Timeline

  • 2026-07-06 - CVE-2026-42341 published to the National Vulnerability Database
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2026-42341

Vulnerability Analysis

FOSSBilling exposes /ipn.php to accept payment notifications from external gateways. When the Custom payment adapter is enabled, the endpoint accepts input that indicates which invoice to update and marks it as paid. The endpoint does not verify the authenticity or origin of the request. An attacker who knows or guesses a valid invoice identifier can trigger the paid state transition remotely.

Once an invoice is marked paid, FOSSBilling applies the corresponding credit to the client account and executes downstream provisioning actions tied to paid invoices. This produces measurable integrity impact against billing records and any services gated by invoice status. The vulnerability requires no authentication, no user interaction, and only network reachability to the FOSSBilling web front end.

Root Cause

The root cause is missing authentication on a critical state-changing function [CWE-306]. The Custom payment adapter's IPN handler trusts request parameters without validating a shared secret, HMAC signature, or source IP restriction. Payment gateway callbacks require cryptographic verification to ensure the notification originated from the gateway, and the Custom adapter lacked this control in the affected releases.

Attack Vector

Exploitation requires a single unauthenticated HTTP request to the target's /ipn.php endpoint with parameters that reference the target invoice and indicate a successful Custom payment. Because the endpoint is network-reachable by design and no credentials are checked, exploitation is straightforward from any host that can reach the FOSSBilling web server. The attacker gains no direct code execution or data read, but achieves high integrity impact on billing state and any provisioning logic keyed to invoice status.

No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-5493-9m76-2qrr for the vendor's technical description.

Detection Methods for CVE-2026-42341

Indicators of Compromise

  • HTTP POST or GET requests to /ipn.php from unexpected source IP addresses that do not match legitimate payment processor ranges
  • Invoices transitioning from unpaid to paid status without a matching transaction record from an external payment gateway
  • Client account credit adjustments correlated with /ipn.php requests that lack prior gateway redirect activity in session logs
  • Provisioning or service activation events tied to invoices that have no reconciling entry in the merchant's payment processor dashboard

Detection Strategies

  • Parse web server access logs for requests to /ipn.php and correlate each hit against expected callback source ranges for the enabled payment adapters
  • Compare FOSSBilling invoice state changes against payment gateway settlement reports and alert on unmatched paid invoices
  • Baseline the volume of Custom adapter IPN calls; unauthorized exploitation typically produces callbacks without preceding checkout sessions

Monitoring Recommendations

  • Enable verbose logging on the FOSSBilling application layer to capture IPN payload contents, source IP, and resulting invoice identifiers
  • Forward web server and application logs to a centralized log platform and build correlation rules that link checkout initiation to IPN receipt
  • Alert on any invoice paid via the Custom adapter when no corresponding administrator action or gateway record exists

How to Mitigate CVE-2026-42341

Immediate Actions Required

  • Upgrade FOSSBilling to version 0.8.0 or later, which contains the vendor fix
  • If immediate upgrade is not possible, disable the Custom payment gateway in the FOSSBilling admin panel when it is not actively required
  • Audit invoice and client credit history since the deployment of any version between 0.6.0 and 0.7.2 to identify unauthorized paid states

Patch Information

FOSSBilling 0.8.0 patches CVE-2026-42341 by adding authentication controls to the Custom payment adapter IPN handler. Full details are published in the GitHub Security Advisory GHSA-5493-9m76-2qrr. Operators should apply the update through their standard FOSSBilling upgrade procedure and verify version after deployment.

Workarounds

  • Disable the Custom payment gateway in FOSSBilling if it is not required for active business processes
  • Restrict access to /ipn.php at the web server level using IP allowlisting for known payment processor egress ranges, noting this may interfere with legitimate callbacks if the allowlist is incomplete
  • Place a reverse proxy or web application firewall in front of FOSSBilling and enforce access controls on the /ipn.php path
bash
# Example nginx configuration restricting /ipn.php to allowlisted IPs
location = /ipn.php {
    allow 192.0.2.0/24;   # replace with payment processor ranges
    allow 198.51.100.0/24;
    deny all;
    include fastcgi_params;
    fastcgi_pass unix:/run/php/php-fpm.sock;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.