CVE-2026-29925
Server-Side Request Forgery in Invoice Ninja CheckDatabaseRequest.php
Publication date: 2026-03-30
Last updated on: 2026-04-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| invoiceninja | invoice_ninja | 5.12.46 |
| invoiceninja | invoice_ninja | 5.12.48 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29925 is a Server-Side Request Forgery (SSRF) vulnerability in Invoice Ninja versions 5.12.46 through 5.12.48, and likely all 5.x releases. It exists in the authorize() method of the CheckDatabaseRequest.php file, which incorrectly allows unauthenticated users to access certain setup endpoints even after the application setup is complete.
This flaw lets an attacker send crafted POST requests to the /setup/check_db and /setup/check_mail endpoints with arbitrary host and port parameters. The server then makes outbound connections to these attacker-specified destinations, enabling the attacker to perform actions such as internal network scanning, accessing cloud metadata services, port scanning, and bypassing network segmentation.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized internal network scanning and enumeration, which can reveal sensitive infrastructure details.
Attackers can access cloud metadata endpoints (such as AWS, GCP, Azure), potentially leading to credential theft and further compromise.
It allows port scanning of internal hosts and bypassing of network segmentation controls, increasing the risk of lateral movement within the network.
The vulnerability can be exploited to attack internal services like databases and caches, potentially leading to data breaches or service disruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or unauthorized POST requests to the endpoints `/setup/check_db` and `/setup/check_mail` on the Invoice Ninja server.
Specifically, look for POST requests containing parameters such as `db_host` and `db_port` for `/setup/check_db` or `mail_host` and `mail_port` for `/setup/check_mail`. These requests may be attempting to trigger Server-Side Request Forgery (SSRF) by causing the server to make outbound connections to attacker-controlled or internal network addresses.
To detect exploitation attempts, you can use network monitoring or web server access logs to filter for such POST requests.
- Use tools like `tcpdump` or `Wireshark` to capture outbound traffic from the server to unusual or internal IP addresses and ports.
- Check web server logs (e.g., Apache or Nginx access logs) for POST requests to `/setup/check_db` or `/setup/check_mail` with suspicious parameters.
- Example command to search logs for suspicious POST requests: `grep -E 'POST /setup/check_(db|mail)' /var/log/nginx/access.log`
- Example command to monitor outbound connections to internal or cloud metadata IPs: `sudo tcpdump -i eth0 host 169.254.169.254 or net 192.168.0.0/16`
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to restrict access to the vulnerable endpoints `/setup/check_db` and `/setup/check_mail` once the Invoice Ninja setup is complete.
Specifically, the vulnerability arises because the `authorize()` method in `CheckDatabaseRequest.php` unconditionally returns true, allowing unauthenticated access to these endpoints.
The suggested fix is to modify the `authorize()` method to return `!Ninja::hasCompletedSetup()`, which will deny access to these endpoints after setup is finished.
Until a patch or update is applied, you can also mitigate risk by:
- Blocking or restricting external access to `/setup/check_db` and `/setup/check_mail` endpoints via firewall or web server configuration.
- Limiting network access to the server to trusted IP addresses only.
- Monitoring and alerting on suspicious POST requests to these endpoints.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-29925 vulnerability in Invoice Ninja allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) attacks, potentially enabling internal network scanning, access to cloud metadata endpoints, and attacks against internal services.
Such unauthorized access and potential data exposure could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and internal systems.
Specifically, if an attacker exploits this vulnerability to access internal services or cloud metadata containing sensitive information or credentials, it could result in unauthorized disclosure or compromise of personal or protected health information.
Therefore, this vulnerability poses a risk to compliance with standards that mandate confidentiality, integrity, and controlled access to sensitive data.