Description
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a misconfigured replica, or insider access — immediately obtains all API credentials for every user with no further effort. This issue has been patched in version 2.3.17.
Published: 2026-06-11
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SolidInvoice stored API tokens as raw text in the database before version 2.3.17. The consequence is that any party who gains read access to the database—via SQL injection, a leaked backup, a misconfigured replica, or insider access—will obtain every user’s API credentials with no additional effort. This disclosure allows an attacker to authenticate as any user and therefore access, modify, or delete any invoicing data and perform administrative actions.

Affected Systems

The vulnerability affects the SolidInvoice invoicing platform, all releases before 2.3.17. Users running SolidInvoice version 2.3.17 or later are no longer impacted because the issue has been corrected.

Risk and Exploitability

The CVSS score of 8.1 classifies this flaw as High severity. The EPSS score is not available, but the lack of a KEV listing does not reduce the risk because the attack only requires database read permission, which is a common privilege. An attacker who compromises the database can immediately harvest API tokens, which turns the breach into a comprehensive compromise of the platform. Even without a direct code execution path, the impact on confidentiality, integrity, and availability is substantial if the tokens empower remote API access.

Generated by OpenCVE AI on June 11, 2026 at 22:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SolidInvoice to version 2.3.17 or later, which replaces plaintext token storage with secure hashing.
  • After upgrading, force a reset of all existing API tokens so that any old credentials stored in the database are invalidated.
  • Restrict database read permissions to only necessary accounts and monitor for unauthorized read access to prevent future credential leaks.

Generated by OpenCVE AI on June 11, 2026 at 22:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Solidinvoice
Solidinvoice solidinvoice
Vendors & Products Solidinvoice
Solidinvoice solidinvoice

Thu, 11 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a misconfigured replica, or insider access — immediately obtains all API credentials for every user with no further effort. This issue has been patched in version 2.3.17.
Title SolidInvoice: API tokens stored as plaintext in the database allowing full credential compromise on database breach
Weaknesses CWE-312
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Solidinvoice Solidinvoice
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T18:55:23.915Z

Reserved: 2026-05-15T19:34:14.012Z

Link: CVE-2026-46622

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-11T20:16:23.493

Modified: 2026-06-11T20:50:49.480

Link: CVE-2026-46622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:30:09Z

Weaknesses
  • CWE-312

    Cleartext Storage of Sensitive Information