CVE-2026-53644
FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an active state (e.g., suspended, canceled). The root cause is missing order-state validation in two client API endpoints, despite an isActive() helper already existing in the Serviceapikey module and the frontend UI correctly gating access on order.status == 'active'.
Version 0.8.0 contains a fix. Some workarounds are available. If the Serviceapikey module is not needed, uninstall it to remove the affected endpoints.
One may also use a reverse proxy or WAF to restrict access to /api/client/order/service and /api/client/serviceapikey/reset based on application-level order-state logic.
- ⚠ NVD has not scored this CVE yet - manual triage required (common for recent CVEs)
Severity & exploitation scoring
AV:_/AC:_/... vector string published by NVD.