CVE-2026-42341 Overview
CVE-2026-42341 is an unauthenticated payment bypass vulnerability in FOSSBilling, an open-source billing and client management platform. The flaw resides in the Instant Payment Notification (IPN) callback endpoint /ipn.php when the Custom payment adapter is enabled. An unauthenticated attacker can send a single crafted HTTP request to mark any unpaid invoice as paid and credit the associated client account. No actual funds are transferred, resulting in direct financial loss to the platform operator. FOSSBilling versions 0.6.0 through 0.7.2 are affected, and version 0.8.0 patches the issue. The weakness is classified under [CWE-306] Missing Authentication for Critical Function.
Critical Impact
Any unauthenticated attacker on the network can bypass payment processing entirely, marking invoices as paid and issuing account credits without transferring funds.
Affected Products
- FOSSBilling 0.6.0 through 0.7.2 with the Custom payment adapter enabled
- The /ipn.php IPN callback endpoint
- Client account balances and invoice states managed by affected installations
Discovery Timeline
- 2026-07-06 - CVE-2026-42341 published to the National Vulnerability Database
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-42341
Vulnerability Analysis
FOSSBilling exposes /ipn.php to accept payment notifications from external gateways. When the Custom payment adapter is enabled, the endpoint accepts input that indicates which invoice to update and marks it as paid. The endpoint does not verify the authenticity or origin of the request. An attacker who knows or guesses a valid invoice identifier can trigger the paid state transition remotely.
Once an invoice is marked paid, FOSSBilling applies the corresponding credit to the client account and executes downstream provisioning actions tied to paid invoices. This produces measurable integrity impact against billing records and any services gated by invoice status. The vulnerability requires no authentication, no user interaction, and only network reachability to the FOSSBilling web front end.
Root Cause
The root cause is missing authentication on a critical state-changing function [CWE-306]. The Custom payment adapter's IPN handler trusts request parameters without validating a shared secret, HMAC signature, or source IP restriction. Payment gateway callbacks require cryptographic verification to ensure the notification originated from the gateway, and the Custom adapter lacked this control in the affected releases.
Attack Vector
Exploitation requires a single unauthenticated HTTP request to the target's /ipn.php endpoint with parameters that reference the target invoice and indicate a successful Custom payment. Because the endpoint is network-reachable by design and no credentials are checked, exploitation is straightforward from any host that can reach the FOSSBilling web server. The attacker gains no direct code execution or data read, but achieves high integrity impact on billing state and any provisioning logic keyed to invoice status.
No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-5493-9m76-2qrr for the vendor's technical description.
Detection Methods for CVE-2026-42341
Indicators of Compromise
- HTTP POST or GET requests to /ipn.php from unexpected source IP addresses that do not match legitimate payment processor ranges
- Invoices transitioning from unpaid to paid status without a matching transaction record from an external payment gateway
- Client account credit adjustments correlated with /ipn.php requests that lack prior gateway redirect activity in session logs
- Provisioning or service activation events tied to invoices that have no reconciling entry in the merchant's payment processor dashboard
Detection Strategies
- Parse web server access logs for requests to /ipn.php and correlate each hit against expected callback source ranges for the enabled payment adapters
- Compare FOSSBilling invoice state changes against payment gateway settlement reports and alert on unmatched paid invoices
- Baseline the volume of Custom adapter IPN calls; unauthorized exploitation typically produces callbacks without preceding checkout sessions
Monitoring Recommendations
- Enable verbose logging on the FOSSBilling application layer to capture IPN payload contents, source IP, and resulting invoice identifiers
- Forward web server and application logs to a centralized log platform and build correlation rules that link checkout initiation to IPN receipt
- Alert on any invoice paid via the Custom adapter when no corresponding administrator action or gateway record exists
How to Mitigate CVE-2026-42341
Immediate Actions Required
- Upgrade FOSSBilling to version 0.8.0 or later, which contains the vendor fix
- If immediate upgrade is not possible, disable the Custom payment gateway in the FOSSBilling admin panel when it is not actively required
- Audit invoice and client credit history since the deployment of any version between 0.6.0 and 0.7.2 to identify unauthorized paid states
Patch Information
FOSSBilling 0.8.0 patches CVE-2026-42341 by adding authentication controls to the Custom payment adapter IPN handler. Full details are published in the GitHub Security Advisory GHSA-5493-9m76-2qrr. Operators should apply the update through their standard FOSSBilling upgrade procedure and verify version after deployment.
Workarounds
- Disable the Custom payment gateway in FOSSBilling if it is not required for active business processes
- Restrict access to /ipn.php at the web server level using IP allowlisting for known payment processor egress ranges, noting this may interfere with legitimate callbacks if the allowlist is incomplete
- Place a reverse proxy or web application firewall in front of FOSSBilling and enforce access controls on the /ipn.php path
# Example nginx configuration restricting /ipn.php to allowlisted IPs
location = /ipn.php {
allow 192.0.2.0/24; # replace with payment processor ranges
allow 198.51.100.0/24;
deny all;
include fastcgi_params;
fastcgi_pass unix:/run/php/php-fpm.sock;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

