CVE-2026-23491
📋 TL;DR
CVE-2026-23491 is a path traversal vulnerability in InvoicePlane that allows unauthenticated attackers to read arbitrary files on the server by manipulating filename parameters. This can lead to disclosure of sensitive information including database credentials and configuration files. All users running InvoicePlane versions up to and including 1.6.3 are affected.
💻 Affected Systems
- InvoicePlane
📦 What is this software?
Invoiceplane by Invoiceplane
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full database access by extracting credentials, potentially leading to complete system compromise and data exfiltration.
Likely Case
Sensitive configuration files and credentials are exposed, enabling further attacks and data breaches.
If Mitigated
Limited file access restricted by server permissions, but still exposes sensitive application files.
🎯 Exploit Status
Exploitation requires simple path traversal payloads in filename parameter. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.4
Vendor Advisory: https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc
Restart Required: Yes
Instructions:
1. Backup your InvoicePlane installation and database. 2. Download InvoicePlane 1.6.4 from the official repository. 3. Replace all files with the new version. 4. Restart your web server. 5. Verify the application functions correctly.
🔧 Temporary Workarounds
Disable Guest Module
allTemporarily disable or restrict access to the Guest module's Get controller
# Modify web server configuration to block access to guest/get endpoints
# Example for Apache: RewriteRule ^guest/get.* - [F]
# Example for Nginx: location ~ ^/guest/get { deny all; }
Input Validation Filter
allAdd web application firewall rules to block path traversal patterns
# Example ModSecurity rule: SecRule ARGS "\.\./" "id:1001,phase:2,deny,msg:'Path Traversal Attempt'
🧯 If You Can't Patch
- Implement strict web application firewall rules to block path traversal patterns in requests
- Restrict server file permissions and move sensitive files outside web root directory
🔍 How to Verify
Check if Vulnerable:
Check if InvoicePlane version is 1.6.3 or earlier. Test by attempting to access files with path traversal payloads in the guest/get endpoint.Check Version:
Check the IP_VERSION constant in application/config/constants.php or view the footer in the web interfaceVerify Fix Applied:
Verify version is 1.6.4 or later. Test that path traversal attempts in the guest/get endpoint are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Multiple requests to guest/get endpoint with ../ patterns
- Access to sensitive file paths from unauthenticated users
- Failed file access attempts with traversal patterns
Network Indicators:
- HTTP requests containing ../ or ..\ patterns in parameters
- Unusual file access patterns from external IPs
SIEM Query:
source="web_logs" AND (uri_path="/guest/get" AND (query_string="*../*" OR query_string="*..\\*"))