FOSSBilling: Improper API Role Validation (system) Enables Unauthenticated Access to Privileged Admin Functions
Description
FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged /api/system/* endpoints. Because system resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to /api/system/* at reverse proxy/WAF, restrict API access by trusted source IPs only (api.allowed_ips), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious /api/system/ access and treat as potential incident.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: >=0.5.4, <0.8.0
Patches
Vulnerability mechanics
Root cause
"Missing `throw` keyword in API role validation allows the disallowed `system` role to bypass authentication and execute with admin privileges."
Attack vector
An unauthenticated attacker sends an HTTP request to any `/api/system/:class/:method` endpoint. The API router accepts the role from the URL path, and the broken `isRoleAllowed()` method fails to reject the disallowed `system` role because the exception is constructed but never thrown [CWE-754, ref_id=1]. The `system` role is then mapped to the cron admin identity, so the request executes with full admin privileges, bypassing all login, session, and CSRF checks [ref_id=3].
Affected code
The vulnerability resides in `src/modules/Api/Controller/Client.php` where the `isRoleAllowed()` method instantiates a new `Exception` for disallowed roles but omits the `throw` keyword, so the exception is never raised [ref_id=1]. Because `system` is not in the allowed list yet the method returns `true`, the request proceeds and the `system` role is mapped to the cron admin identity via `getCronAdmin()` in `src/di.php`, granting admin-context execution without authentication [ref_id=3].
What the fix does
The patch in version 0.8.0 adds the missing `throw` keyword so that the exception is actually raised when a disallowed role is passed to `isRoleAllowed()`. This prevents any request with the `system` role from reaching the admin API dispatch logic, closing the authorization bypass. The advisory also recommends blocking `/api/system/*` at a reverse proxy or WAF as an additional workaround [ref_id=3].
Preconditions
- configThe FOSSBilling instance must be version 0.5.4 through 0.7.2 (inclusive).
- networkThe attacker must be able to send HTTP requests to the FOSSBilling API endpoint.
- authNo authentication, session, or CSRF token is required.
- inputThe request path must use the `system` role, e.g., `/api/system/Admin/string_render`.
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-57mv-jm88-66jcmitrex_refsource_MISC
- github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-78x5-c8gw-8279mitrex_refsource_CONFIRM
- www.vulncheck.com/blog/fossbilling-auth-bypass-ssti-rcemitrex_refsource_MISC
News mentions
0No linked articles in our index yet.