CVE-2026-27604
Published: 23 June 2026
Summary
CVE-2026-27604 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-38451
Vulnerability details
FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron…
more
admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass enables unauthenticated remote access to privileged endpoints on a public-facing web application/API.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Requires authentication gates on critical functions that must remain unavailable to anonymous public users.
Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Mandates authorization checks before permitting access or data processing via external systems.
The control provides a mechanism for authorized users to determine authorization matches, preventing sharing without proper authorization verification.
Always invoking the reference monitor prevents missing authorization checks for protected resources.