FOSSBilling Password Reset Token Exposure (CVE-2026-43926): Reset Confirmation Endpoint Leaks Token Hash

June 4, 2026

FOSSBilling Password Reset Token Exposure (CVE-2026-43926): Reset Confirmation Endpoint Leaks Token Hash

June 4, 2026 by nick

A vulnerability in FOSSBilling, the open-source billing and client management system, tracked as CVE-2026-43926, exposes password reset tokens through the confirmation endpoint at /client/reset-password-confirm/:hash. Versions prior to 0.8.0 are affected.

What Is the Vulnerability?

CVE-2026-43926 is an information disclosure vulnerability in the password reset confirmation endpoint. The /client/reset-password-confirm/:hash endpoint leaks the password reset hash, allowing an attacker who can observe or intercept traffic to this endpoint to capture valid password reset tokens and take over user accounts.

CVSS v3.1 Score: 7.5 (High)

Which Versions Are Affected?

FOSSBilling: all versions prior to 0.8.0

What Is the Fix?

Update FOSSBilling to version 0.8.0 or later.

References

This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026.

I would love to connect:

Nick has over 15 years of experience in the cybersecurity and IT field. Nick has implemented threat modeling and security by design at many enterprise-sized organizations, with a focus on IT applications, IT infrastructure, and business processes.

Try our threat modeling tool and start threat modeling in minutes!

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

FOSSBilling Password Reset Token Exposure (CVE-2026-43926): Reset Confirmation Endpoint Leaks Token Hash

What Is the Vulnerability?

Which Versions Are Affected?

What Is the Fix?

References

Threat Modeling and Security by Design

Connect with me

Thanks for signing up!