SolidInvoice: API tokens stored as plaintext in the database allowing full credential compromise on database breach
CVE-2026-46622

8.1HIGH

Key Information:

Vendor

Solidinvoice

Status
Solidinvoice
Vendor
CVE Published:
11 June 2026

What is CVE-2026-46622?

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a misconfigured replica, or insider access — immediately obtains all API credentials for every user with no further effort. This issue has been patched in version 2.3.17.

Affected Version(s)

SolidInvoice < 2.3.17

References

https://github.com/SolidInvoice/SolidInvoice/security/adv...
x_refsource_CONFIRM
https://github.com/SolidInvoice/SolidInvoice/commit/86453...
x_refsource_MISC
https://github.com/SolidInvoice/SolidInvoice/releases/tag...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.