Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-23491 is a critical path traversal vulnerability in InvoicePlane versions up to and including 1.6.3. It exists in the `get_file` method of the Guest module's Get controller, where the application accepts a filename parameter from the URL without properly sanitizing it. This allows unauthenticated attackers to manipulate the filename input to traverse directories and read arbitrary files on the server."}, {'type': 'paragraph', 'content': "Specifically, the method applies `urldecode()` to the filename but does not prevent directory traversal sequences like `../`. The unsanitized input is concatenated with a base directory path and passed to PHP's `readfile()` function, enabling attackers to access sensitive files outside the intended directory, such as configuration files containing database credentials and encryption keys."}, {'type': 'paragraph', 'content': "This vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). It was fixed in InvoicePlane version 1.6.4."}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated attackers to read arbitrary files on the server hosting InvoicePlane. As a result, sensitive information such as configuration files, database credentials, and encryption keys can be disclosed.

The impact is critical because attackers can gain access to confidential data without any authentication or user interaction, potentially leading to further compromise of the system or data breaches.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to exploit the path traversal flaw in the `get_file` method of the Guest module's Get controller in InvoicePlane. Since the vulnerability allows reading arbitrary files by manipulating the filename parameter, you can test it by sending crafted HTTP requests to the vulnerable endpoint."}, {'type': 'paragraph', 'content': 'A common method is to use cURL to request files outside the intended directory, for example, trying to read sensitive files like configuration files containing database credentials.'}, {'type': 'paragraph', 'content': 'Example command to test the vulnerability using cURL:'}, {'type': 'list_item', 'content': 'curl -v "http://<target>/index.php/guest/get_file/../../ipconfig.php"'}, {'type': 'paragraph', 'content': 'Replace `<target>` with the actual server address. If the response contains the contents of the requested file, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade InvoicePlane to version 1.6.4 or later, where this path traversal vulnerability has been fixed.

Until the upgrade can be performed, consider restricting access to the vulnerable endpoint by implementing network-level controls such as firewall rules or web application firewall (WAF) rules to block malicious requests attempting directory traversal sequences.

Additionally, monitor server logs for suspicious requests containing directory traversal patterns like `../` and respond accordingly.

Useful 0 Not Useful 0