Description
Invoice Ninja through 5.13.26 contains an open redirect vulnerability in the client portal login that allows unauthenticated attackers to redirect authenticated victims to attacker-controlled external URLs by injecting a malicious value into the intended query parameter. Attackers can craft a client login link with an external URL in the intended parameter, which is stored in the session without host validation and emitted verbatim via a bare redirect in the ContactLoginController authenticated() handler after the victim completes a legitimate login, enabling phishing attacks.
Published: 2026-06-30
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an open redirect in the client portal login that lets attackers insert a malicious URL into the intended parameter. After a victim authenticates, the application blindly redirects them to the URL stored in the session, enabling phishing and credential‑stealing attacks without requiring additional privileges.

Affected Systems

Invoice Ninja versions up to and including 5.13.26 are affected. The vulnerability resides in the client portal login flow of the Invoice Ninja application.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate threat. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by constructing a login link that contains a malicious intended parameter, so the likely attack vector is web-based, relying on unauthenticated access to the login page.

Generated by OpenCVE AI on June 30, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Invoice Ninja to 5.13.27 or later to remove the insecure redirect handling.
  • If an upgrade is not immediately possible, modify the ContactLoginController to validate the intended parameter against a whitelist of allowed hosts before performing the redirect.
  • As a temporary safeguard, configure the web server or application firewall to block redirects to external domains from the client portal login flow.

Generated by OpenCVE AI on June 30, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Invoice Ninja through 5.13.26 contains an open redirect vulnerability in the client portal login that allows unauthenticated attackers to redirect authenticated victims to attacker-controlled external URLs by injecting a malicious value into the intended query parameter. Attackers can craft a client login link with an external URL in the intended parameter, which is stored in the session without host validation and emitted verbatim via a bare redirect in the ContactLoginController authenticated() handler after the victim completes a legitimate login, enabling phishing attacks.
Title Invoice Ninja 5.13.26 - Open Redirect in Client Portal Login via intended Parameter
First Time appeared Invoiceninja
Invoiceninja invoice Ninja
Weaknesses CWE-601
CPEs cpe:2.3:a:invoiceninja:invoice_ninja:*:*:*:*:*:*:*:*
Vendors & Products Invoiceninja
Invoiceninja invoice Ninja
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Invoiceninja Invoice Ninja
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T21:07:25.092Z

Reserved: 2026-06-30T19:09:07.026Z

Link: CVE-2026-58450

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T22:30:06Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')