Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-43918

CVE-2026-43918: FOSSBilling Auth Bypass Vulnerability

CVE-2026-43918 is an authentication bypass flaw in FOSSBilling that allows suspended or deactivated users to retain full access through existing sessions. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-43918 Overview

CVE-2026-43918 is a session management flaw in FOSSBilling, a free, open-source billing and client management system. Versions prior to 0.8.0 fail to invalidate existing authenticated sessions when a client or staff/admin account is suspended or marked inactive. The session identity loaders in src/di.php only check whether the backing account record still exists in the database, not whether its status remains active. A suspended or deactivated user therefore retains full access to their account until their session naturally expires. The maintainers resolved the issue in FOSSBilling version 0.8.0. The weakness is classified under CWE-613: Insufficient Session Expiration.

Critical Impact

Suspended clients and deactivated administrators retain full authenticated access to FOSSBilling, undermining account suspension as a security control.

Affected Products

  • FOSSBilling versions prior to 0.8.0
  • FOSSBilling loggedin_client session identity loader in src/di.php
  • FOSSBilling loggedin_admin session identity loader in src/di.php

Discovery Timeline

  • 2026-07-06 - CVE-2026-43918 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-43918

Vulnerability Analysis

FOSSBilling maintains authenticated sessions for two principal user classes: clients and staff/admin users. On every authenticated request, the framework rehydrates the acting identity through two loader functions defined in src/di.php: loggedin_client and loggedin_admin. These loaders look up the account record referenced by the session and reject the session only when the record is missing.

The loaders never consult the account's status column. An account flagged as suspended or inactive still resolves to a valid identity because the database row continues to exist. As a result, administrative actions such as suspending a delinquent client or deactivating a departed staff member do not sever the offending user's live session. Access persists until the session cookie expires or the user logs out voluntarily.

This is a business logic and session management defect rather than a memory safety or injection bug. An attacker does not need to forge credentials or exploit input handling. They simply continue using a session obtained before the status change.

Root Cause

The root cause is missing authorization state revalidation during session rehydration. The identity loaders treat account existence as equivalent to account validity, violating the principle that authorization must be re-evaluated on each request. This maps directly to CWE-613, where a privileged state persists beyond the point at which it should have been terminated.

Attack Vector

Exploitation requires an existing authenticated session on a FOSSBilling instance running a version earlier than 0.8.0. The attack scenario involves a client or staff/admin account that has been suspended or deactivated for a legitimate reason such as payment default, policy violation, or offboarding. Because the session is not invalidated server-side, the affected user can continue to submit authenticated requests, view billing data, modify account settings, or perform administrative operations tied to their prior role until the session times out.

The vulnerability is exploitable over the network and requires only the low-privilege access that the user already possessed before suspension.

No public proof-of-concept code is required. The condition is reproduced by suspending a logged-in account through the admin panel and observing that the affected browser session continues to function.

Detection Methods for CVE-2026-43918

Indicators of Compromise

  • Successful authenticated requests in FOSSBilling access logs from user IDs whose account status is suspended or inactive in the database.
  • Administrative actions or billing changes performed by staff accounts that were previously deactivated in the FOSSBilling admin panel.
  • Client portal activity such as invoice access or profile edits originating from clients marked non-active.

Detection Strategies

  • Correlate FOSSBilling application logs with the client and admin_staff database tables to flag any request where the acting principal's status is not active.
  • Query active session storage and cross-reference session owners against accounts whose status changed to suspended or inactive after session creation.
  • Review audit trails for privileged actions performed within the session-lifetime window following any account suspension event.

Monitoring Recommendations

  • Alert on any HTTP 200 response to authenticated FOSSBilling endpoints where the associated account status is suspended or inactive.
  • Track the time delta between account suspension events and the last observed authenticated request from the same user.
  • Monitor the src/di.php file for unexpected changes and ensure it reflects the 0.8.0 fix on all production hosts.

How to Mitigate CVE-2026-43918

Immediate Actions Required

  • Upgrade FOSSBilling to version 0.8.0 or later, which contains the fix in the loggedin_client and loggedin_admin identity loaders. See the FOSSBilling 0.8.0 Release.
  • Immediately terminate all active sessions after upgrading by rotating the session secret or truncating the session store.
  • Audit accounts whose status is currently suspended or inactive and confirm no active sessions remain for those users.

Patch Information

FOSSBilling 0.8.0 corrects the session identity loaders to verify that the backing account record is both present and active before rehydrating the session. Details are documented in the GitHub Security Advisory GHSA-qv6c-v49w-8g2j.

Workarounds

  • If immediate upgrade is not feasible, manually delete session records for any account at the moment of suspension or deactivation from the configured session store.
  • Reduce the session lifetime configuration to shorten the exposure window until the patch is applied.
  • Force a global session reset following any bulk account status change until the environment is running FOSSBilling 0.8.0.
bash
# Upgrade FOSSBilling to the patched release
cd /var/www/fossbilling
git fetch --tags
git checkout 0.8.0
composer install --no-dev --optimize-autoloader

# Invalidate all active sessions after upgrade (example for filesystem sessions)
find /var/lib/php/sessions -type f -name 'sess_*' -delete

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.