A security vulnerability (CVE-2026-29204) has been identified in WHMCS 7.4 and later involving insufficient authorization checks within the Client Area. Under specific conditions, an authenticated user could perform actions outside of the scope of their assigned account permissions.

This issue was responsibly disclosed through our security program and is currently being addressed.

An authenticated WHMCS user could potentially leverage this flaw to perform actions in the context of another user's account, including accessing services that they did not own. Exploitation requires a valid, authenticated session. 

Affected versions include:

• All WHMCS 9.x builds prior to 9.0.4.

• All WHMCS 8.x builds prior to 8.13.3.

• All WHMCS 7.x builds after 7.4.0.

We have released a fix for this in the following WHMCS versions: 

• WHMCS 9.0.4

• WHMCS 8.13.3

Update immediately to the latest WHMCS version after the patched release is available.

Monitor the Activity Log for any unexpected Single Sign-On or service access events originating from mismatched user accounts.