CVE-2026-0649
Server-Side Request Forgery in InvoiceNinja Migration Import Component
Publication date: 2026-01-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| invoiceninja | invoiceninja | to 5.12.38 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for the presence of the vulnerable file path or functionality, such as using Google dorking with the query `inurl:app/Jobs/Util/Import.php` to identify exposed targets. Additionally, monitoring for unusual HTTP requests initiated by the server to external or internal URLs, especially those involving the `company_logo` parameter in migration imports, can help detect exploitation attempts. Since the vulnerability requires authenticated access, reviewing logs for authenticated users performing migration imports with suspicious URLs in the `company_logo` field is recommended. Specific commands are not provided, but network monitoring tools and log analysis focusing on these indicators are suggested. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Implement strict validation of the `company_logo` URL before it is passed to the `copy()` function, ensuring it uses HTTPS, verifying the host, resolving the hostname to an IP address, and blocking private, reserved, and known cloud metadata IP ranges (e.g., 169.254.169.254). 2) Disable `allow_url_fopen` in the `php.ini` configuration to prevent `copy()` from fetching remote URLs, though this may affect other functionality. 3) Replace the use of `copy()` with a cURL-based implementation that enforces timeouts and restricts redirects. If possible, consider replacing the affected component with an alternative product. These steps help prevent server-side request forgery exploitation. [2]
Can you explain this vulnerability to me?
This vulnerability exists in invoiceninja up to version 5.12.38, specifically in the copy function of the file /app/Jobs/Util/Import.php within the Migration Import component. It involves manipulation of the company_logo argument, which leads to server-side request forgery (SSRF). This means an attacker can remotely cause the server to make unintended requests to other systems.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to perform server-side request forgery remotely, potentially enabling them to access internal systems or resources that are not directly exposed to the internet. This can lead to information disclosure, unauthorized actions, or further exploitation within the affected environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to perform server-side request forgery (SSRF) that can lead to unauthorized access to internal services and exfiltration of sensitive data, including cloud provider metadata and IAM credentials. Such data breaches and unauthorized access could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information. Therefore, this vulnerability poses a risk to compliance with these standards by potentially exposing confidential data and failing to ensure system integrity and confidentiality. [1, 2, 3]