CVE-2026-33543

Vulnerability Description

FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.

Related Weaknesses (CWE)

References

• https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0
• https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-28mh-j262-q4

FAQ

What is CVE-2026-33543?

CVE-2026-33543 is a documented vulnerability. FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Du...

How severe is CVE-2026-33543?

CVSS scoring is not yet available for CVE-2026-33543. Check NVD for updates.

Is there a patch for CVE-2026-33543?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.