CVE-2026-43926
Description
FOSSBilling versions prior to 0.8.0 lack rate limiting on password reset confirmation, allowing brute-force token guessing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FOSSBilling versions prior to 0.8.0 lack rate limiting on password reset confirmation, allowing brute-force token guessing.
Vulnerability
FOSSBilling versions 0.1.0 through 0.7.2 handle the password reset confirmation endpoint /client/reset-password-confirm/:hash via a non-API controller that is not covered by the application's rate limiter. This architectural gap allows for unlimited token guesses without any per-IP request limiting, attempt counting, or lockout mechanisms. The same vulnerability affects /staff/email/:hash and /client/confirm-email/:hash [2].
Exploitation
An attacker can repeatedly submit guesses for password reset tokens to the vulnerable endpoints. The endpoint acts as an oracle, returning a distinguishable HTTP 200 response for valid tokens and an HTTP 302 redirect for invalid ones. This allows an attacker to probe for valid tokens without any throttling or lockout, though the token generation's 256 bits of entropy and 15-minute expiry mitigate practical exploitability [2].
Impact
Successful exploitation would allow an attacker to potentially guess valid password reset tokens, leading to unauthorized password changes for user accounts. The scope of the compromise is limited to individual user accounts whose tokens are guessed [2].
Mitigation
FOSSBilling version 0.8.0, released on 2026-05-28, addresses this vulnerability [1]. As a workaround, users can configure a reverse proxy (e.g., Nginx, Apache, Cloudflare) to apply per-IP rate limiting to the affected paths (/client/reset-password-confirm/*, /staff/email/*) or use a WAF rule to limit request rates to these endpoints [2].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <0.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The password reset confirmation endpoint is not covered by the application's rate limiter."
Attack vector
An attacker can repeatedly probe the `/client/reset-password-confirm/:hash` endpoint with guessed tokens. The endpoint acts as an oracle, returning a distinguishable response for valid versus invalid tokens (HTTP 200 vs HTTP 302 redirect) [ref_id=1]. This allows an attacker to discover valid reset tokens without any per-IP request limiting, attempt counting, or lockout mechanism [ref_id=1]. The same architectural gap affects other controller-served authentication routes like `/staff/email/:hash` and `/client/confirm-email/:hash` [ref_id=1].
Affected code
The password reset confirmation endpoint `/client/reset-password-confirm/:hash` is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to `/api/*` routes. The application's routing architecture dispatches non-API controller routes through a separate path that includes no rate limiting middleware or hooks. The affected endpoint validates the reset hash and either renders a template or redirects, with no rate limiting applied [ref_id=1].
What the fix does
The advisory recommends configuring a reverse proxy, such as Nginx or Apache, to apply per-IP rate limiting to the affected paths (`/client/reset-password-confirm/*` and `/staff/email/*`). Alternatively, a Web Application Firewall (WAF) rule can be used to limit request rates to these endpoints. Version 0.8.0 is noted as the patched version, implying that the fix involves implementing rate limiting for these non-API controller routes [ref_id=1].
Preconditions
- networkAttacker must be able to send requests to the FOSSBilling instance.
- inputAttacker needs to be able to guess or obtain password reset tokens.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.