External risk intelligence

FOSSBilling Unauthenticated Payment Bypass Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-42341

FOSSBilling is a web-based billing and client management system designed to process payments. The vulnerable component, an IPN (Instant Payment Notification) callback endpoint, must be reachable via the public internet to receive asynchronous payment confirmations from external payment gateways, making it a commonly internet-facing part of the application's deployment.

Missing Authentication

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in FOSSBilling, an open-source billing and client management system, which allows an unauthenticated attacker to bypass payment processing. This bypass can be achieved by sending a specially crafted HTTP request, enabling the attacker to mark unpaid invoices as paid and credit client accounts without actual payment when the Custom payment adapter is enabled. The primary concern is confirming whether this specific payment adapter is in use and assessing potential exposure.

  • Unauthenticated attackers can mark invoices as paid.
  • Critical for financial systems; confirm relevance and exposure.
  • Protect revenue; audit payment adapters and network access.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted HTTP request to the IPN callback endpoint of FOSSBilling, provided the Custom payment adapter is enabled. This allows them to bypass actual payment processing and mark invoices as paid, crediting client accounts without a transaction.

  • Unauthenticated network access required.
  • Triggered via IPN callback endpoint.
  • Enables unauthorized invoice payment.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in FOSSBilling's payment processing could allow an unauthenticated attacker to bypass payment obligations. When the Custom payment adapter is enabled, a specially crafted HTTP request to the IPN callback endpoint may enable an attacker to mark any unpaid invoice as paid and credit the associated client account without any actual payment being made.

  • Unpaid invoices and client accounts.
  • Sending a crafted HTTP request.
  • Unpaid services may be rendered freely.

Operational Fix

Recommended remediation, mitigation, and detection steps

The FOSSBilling billing system's IPN callback endpoint has a critical vulnerability that allows unauthenticated attackers to bypass payment validation. Infrastructure and security teams are most likely responsible for addressing this. The first practical step is to identify all FOSSBilling instances, confirm their exposure to the internet, and assess the criticality of any instances using the Custom payment adapter before planning remediation.

  • Own the issue through Infrastructure or Security.
  • Verify Custom payment adapter reachability.
  • Plan remediation based on exposure risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is FOSSBilling?

FOSSBilling is a free, open-source software platform used by businesses to manage client accounts, track invoices, and handle automated billing cycles. It functions as a centralized hub for financial operations, often integrating with various third-party payment gateways to process incoming transactions and manage service subscriptions.

How does CVE-2026-42341 impact payment security?

This vulnerability involves an authentication bypass, specifically categorized as CWE-306 (Missing Authentication for Critical Function) and CWE-346 (Origin Validation Error). It allows unauthorized users to manipulate the payment notification process, effectively tricking the system into marking invoices as paid without any money actually changing hands.

What triggers this vulnerability in FOSSBilling?

The issue is triggered when an attacker sends a single, specially crafted HTTP request to the application's IPN (Instant Payment Notification) callback endpoint. This vulnerability only exists if the 'Custom' payment adapter is enabled; if that specific adapter is disabled or not in use, this particular attack path is not applicable.

Is my instance at risk according to Halo Surface Signal?

Halo Surface Signal indicates that because FOSSBilling must communicate with external payment gateways to confirm transactions, its IPN callback endpoint is typically exposed to the public internet. If your instance is reachable from the internet and utilizes the Custom payment adapter, it faces a higher likelihood of being reachable by an attacker.

How can I secure my system against this flaw?

The most effective resolution is to update to version 0.8.0 or later. If you cannot update immediately, you should disable the Custom payment adapter if it is not required for your operations. Alternatively, restricting access to the '/ipn.php' file at the web server level, such as through IP allowlisting, can mitigate the risk, though this may impact your ability to process legitimate payment notifications.

References