CVE-2026-29925
Received Received - Intake
Server-Side Request Forgery in Invoice Ninja CheckDatabaseRequest.php

Publication date: 2026-03-30

Last updated on: 2026-04-02

Assigner: MITRE

Description
Invoice Ninja v5.12.46 and v5.12.48 is vulnerable to Server-Side Request Forgery (SSRF) in CheckDatabaseRequest.php.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29925
EUVD
EUVD-2026-17150
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
invoiceninja invoice_ninja 5.12.46
invoiceninja invoice_ninja 5.12.48
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29925 is a Server-Side Request Forgery (SSRF) vulnerability in Invoice Ninja versions 5.12.46 through 5.12.48, and likely all 5.x releases. It exists in the authorize() method of the CheckDatabaseRequest.php file, which incorrectly allows unauthenticated users to access certain setup endpoints even after the application setup is complete.

This flaw lets an attacker send crafted POST requests to the /setup/check_db and /setup/check_mail endpoints with arbitrary host and port parameters. The server then makes outbound connections to these attacker-specified destinations, enabling the attacker to perform actions such as internal network scanning, accessing cloud metadata services, port scanning, and bypassing network segmentation.

Impact Analysis

This vulnerability can have serious impacts including unauthorized internal network scanning and enumeration, which can reveal sensitive infrastructure details.

Attackers can access cloud metadata endpoints (such as AWS, GCP, Azure), potentially leading to credential theft and further compromise.

It allows port scanning of internal hosts and bypassing of network segmentation controls, increasing the risk of lateral movement within the network.

The vulnerability can be exploited to attack internal services like databases and caches, potentially leading to data breaches or service disruption.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized POST requests to the endpoints `/setup/check_db` and `/setup/check_mail` on the Invoice Ninja server.

Specifically, look for POST requests containing parameters such as `db_host` and `db_port` for `/setup/check_db` or `mail_host` and `mail_port` for `/setup/check_mail`. These requests may be attempting to trigger Server-Side Request Forgery (SSRF) by causing the server to make outbound connections to attacker-controlled or internal network addresses.

To detect exploitation attempts, you can use network monitoring or web server access logs to filter for such POST requests.

  • Use tools like `tcpdump` or `Wireshark` to capture outbound traffic from the server to unusual or internal IP addresses and ports.
  • Check web server logs (e.g., Apache or Nginx access logs) for POST requests to `/setup/check_db` or `/setup/check_mail` with suspicious parameters.
  • Example command to search logs for suspicious POST requests: `grep -E 'POST /setup/check_(db|mail)' /var/log/nginx/access.log`
  • Example command to monitor outbound connections to internal or cloud metadata IPs: `sudo tcpdump -i eth0 host 169.254.169.254 or net 192.168.0.0/16`
Mitigation Strategies

The immediate mitigation step is to restrict access to the vulnerable endpoints `/setup/check_db` and `/setup/check_mail` once the Invoice Ninja setup is complete.

Specifically, the vulnerability arises because the `authorize()` method in `CheckDatabaseRequest.php` unconditionally returns true, allowing unauthenticated access to these endpoints.

The suggested fix is to modify the `authorize()` method to return `!Ninja::hasCompletedSetup()`, which will deny access to these endpoints after setup is finished.

Until a patch or update is applied, you can also mitigate risk by:

  • Blocking or restricting external access to `/setup/check_db` and `/setup/check_mail` endpoints via firewall or web server configuration.
  • Limiting network access to the server to trusted IP addresses only.
  • Monitoring and alerting on suspicious POST requests to these endpoints.
Compliance Impact

The CVE-2026-29925 vulnerability in Invoice Ninja allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) attacks, potentially enabling internal network scanning, access to cloud metadata endpoints, and attacks against internal services.

Such unauthorized access and potential data exposure could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and internal systems.

Specifically, if an attacker exploits this vulnerability to access internal services or cloud metadata containing sensitive information or credentials, it could result in unauthorized disclosure or compromise of personal or protected health information.

Therefore, this vulnerability poses a risk to compliance with standards that mandate confidentiality, integrity, and controlled access to sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29925. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart