CVE Catalog

CVE-2026-33543

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile — higher than 21% of all known CVEs

Summary

FOSSBilling versions 0.7.2 and prior have a vulnerability in the guest API that allows the creation of new administrator accounts even when one already exists. A flaw in the admin existence check enables an attacker to bypass protections.

Risk Assessment

The organization is at risk of unauthorized access to the administrator account, potentially leading to full control over the system. An attacker can create a new administrator account and gain access to sensitive data.

Recommendation

It is recommended to update FOSSBilling to version 0.8.0 or later to mitigate this vulnerability. Additionally, an audit of existing administrator accounts should be conducted.

Original NVD description (English source)

FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS