CVE-2026-46622
Deferred Deferred - Pending Action
Plaintext API Token Storage in SolidInvoice

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table. Any attacker who obtains read access to the database β€” through SQL injection, a leaked backup, a misconfigured replica, or insider access β€” immediately obtains all API credentials for every user with no further effort. This issue has been patched in version 2.3.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-46622
EUVD
EUVD-2026-36301
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
solidinvoice solidinvoice to 2.3.17 (exc)
solidinvoice solidinvoice 2.3.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46622 is a critical vulnerability in the SolidInvoice invoicing platform versions 2.3.16 and earlier. The issue is that API tokens, which authenticate all REST API requests, are stored as plaintext strings in the database. This means that if an attacker gains read access to the databaseβ€”through methods like SQL injection, leaked backups, misconfigured replicas, or insider accessβ€”they can immediately obtain all API credentials for every user without any additional effort.

Although the tokens are generated securely, their storage in plaintext makes them easily retrievable and usable by attackers. This vulnerability allows attackers to impersonate users and access sensitive data.

Impact Analysis

If exploited, this vulnerability allows an attacker with read access to the database to obtain all API tokens for every user. With these tokens, the attacker can gain full API access, impersonate users, and exfiltrate or manipulate sensitive information such as invoices, client details, and payment records.

This leads to significant confidentiality and integrity loss, as attackers can access and alter critical financial and client data without authorization.

Detection Guidance

This vulnerability can be detected by checking if your SolidInvoice installation is running version 2.3.16 or earlier, where API tokens are stored as plaintext in the database. Specifically, you can inspect the api_tokens table in your database to see if tokens are stored in plaintext.

To detect the vulnerability, you can run database queries to check the storage format of API tokens. For example, using SQL commands to query the api_tokens table and look for plaintext tokens.

  • Run a SQL query such as: SELECT token FROM api_tokens LIMIT 10; and check if the tokens appear as readable plaintext strings.
  • Check the version of SolidInvoice installed by running: solidinvoice --version or inspecting the application metadata to confirm if it is 2.3.16 or earlier.

If tokens are visible in plaintext in the database, your system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade SolidInvoice to version 2.3.17 or later, where API tokens are stored as HMAC-SHA256 hashes instead of plaintext.

After upgrading, the system will automatically re-hash existing tokens, but rotating the application secret (SOLIDINVOICE_APP_SECRET) will invalidate all existing tokens, requiring users to generate new ones.

  • Upgrade SolidInvoice to version 2.3.17 or newer.
  • Rotate the SOLIDINVOICE_APP_SECRET to invalidate all existing API tokens and force regeneration.
  • Ensure that token names are unique and monitor for any errors related to token duplication.

These steps will prevent attackers from obtaining usable API tokens from the database and protect your system from unauthorized API access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46622. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart