PatchSiren cyber security CVE debrief
CVE-2026-46622 SolidInvoice CVE debrief
CVE-2026-46622 is a high-severity vulnerability in SolidInvoice, an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests were stored as plaintext strings in the api_tokens database table. This allowed any attacker with read access to the database — through SQL injection, a leaked backup, a misconfigured replica, or insider access — to immediately obtain all API credentials for every user with no further effort. The issue has been patched in version 2.3.17.
- Vendor
- SolidInvoice
- Product
- Unknown
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of SolidInvoice versions prior to 2.3.17 should update to the latest version to secure their API tokens.
Technical summary
CVE-2026-46622 has a CVSS score of 8.1 and is classified as HIGH severity. The vulnerability involves storing API tokens as plaintext, allowing attackers with database access to obtain all API credentials.
Defensive priority
High
Recommended defensive actions
- Update SolidInvoice to version 2.3.17 or later
- Review and secure database access controls
- Rotate API tokens for all users
Evidence notes
The vulnerability was patched in version 2.3.17. For more information, see [ref-5](https://github.com/SolidInvoice/SolidInvoice/releases/tag/2.3.17) and [ref-6](https://github.com/SolidInvoice/SolidInvoice/security/advisories/GHSA-qjfc-h39r-cgwq).
Official resources
CVE-2026-46622 was published on [cvePublishedAt].