External risk intelligence

FOSSBilling Guest API Allows New Admin Creation

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-33543

FOSSBilling is a web-based billing and client management system designed to be hosted as a web application. Because it functions as a public-facing service for managing customers and billing operations, the application and its associated API endpoints are typically deployed in an internet-accessible manner to facilitate user and administrative access.

Missing Authentication

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a vulnerability in FOSSBilling, a billing and client management system, where an unprotected API endpoint could allow unauthorized users to create new administrator accounts. This could lead to a complete takeover of the system by an attacker, regardless of whether administrator accounts already exist. The issue has been addressed in recent updates.

  • Unprotected system access creates new admin accounts.
  • Unauthorized admin creation leads to full system compromise.
  • Confirm if FOSSBilling is used; if so, verify updates.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by accessing a specific guest API endpoint, even without any prior authentication or administrator privileges. This endpoint, intended for initial setup, incorrectly allows the creation of a new administrator account due to a flaw in its security checks. Once a new administrator account is created, the attacker can immediately log in with full administrative access to the system.

  • No authentication required.
  • Guest API endpoint for staff creation.
  • Full administrator access gained.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an unauthenticated attacker could create a new administrator account and gain immediate, fully privileged access to the FOSSBilling system, regardless of whether an administrator already exists.

  • Unauthorized administrator account creation.
  • Exploiting an unprotected guest API endpoint.
  • Complete system control and privileged access.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world action should begin with identifying all instances of FOSSBilling, determining their exposure and business criticality, and confirming the accountable owner. This triage will inform the remediation strategy, which may involve coordinated updates, vendor engagement, or implementing temporary risk reductions while planning for system maintenance.

  • Identify FOSSBilling instances and owners.
  • Verify external reachability and business criticality.
  • Plan risk-based remediation and updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is FOSSBilling?

FOSSBilling is a free, open-source software platform used to manage billing, client accounts, and business operations. It provides a web-based interface for organizations to handle recurring payments, invoices, and customer support tickets in a centralized system.

What is the vulnerability in CVE-2026-33543?

This vulnerability falls under CWE-288 and CWE-306, which relate to improper authentication and missing checks. In FOSSBilling, a programming error in the code that validates existing admins causes the system to incorrectly assume no administrator exists. This flaw allows the setup endpoint to remain active, letting anyone bypass security to create a new administrator account.

How does an attacker trigger this vulnerability?

An attacker triggers this by directly accessing the '/api/guest/staff/create' endpoint on an affected FOSSBilling instance. Because the application fails to verify whether an administrator is already present, the endpoint executes the creation process regardless of the system's current state. Simply interacting with this specific API path initiates the account creation, provided the software has not been updated.

Is my instance at risk according to Halo Surface Signal?

Halo Surface Signal identifies this as a likely risk because FOSSBilling is designed to be a public-facing web service. If your installation is hosted on the internet to allow remote customer and administrative access, it is reachable by unauthorized parties. Internal-only instances still face risk if reachable by anyone on your network, but internet-exposed setups are the primary concern for this specific flaw.

What is the first step to address this CVE?

The most effective way to secure your system is to upgrade FOSSBilling to version 0.8.0 or newer. This update corrects the faulty admin-existence check that previously allowed unauthorized access. Begin by confirming which version you are running, locating the relevant deployment, and scheduling the update to eliminate the insecure API behavior.

References