CVE-2026-23491
Published: 18 February 2026
Summary
CVE-2026-23491 is a critical-severity Path Traversal (CWE-22) vulnerability in Invoiceplane Invoiceplane. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 40.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-23491 is a path traversal vulnerability (CWE-22) in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane, a self-hosted open source application for managing invoices, clients, and payments. The flaw affects all versions up to and including 1.6.3, enabling attackers to read arbitrary files on the server by manipulating the input filename parameter. This issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact with no requirements for authentication or user interaction.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity to access sensitive files, such as configuration files containing database credentials. Successful exploitation leads to the disclosure of critical information that could facilitate further attacks, like unauthorized database access, but does not allow modification or execution of code.
The InvoicePlane security advisory (GHSA-88gq-mv54-v3fc) and the fixing commit (add8bb798dde621f886823065ef1841986543c69) confirm that upgrading to version 1.6.4 resolves the issue by addressing the path traversal in the affected controller method. Security practitioners should prioritize patching affected instances and review access logs for suspicious `get_file` requests.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7928
Vulnerability details
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated…
more
attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables direct arbitrary local file read (T1005) and specifically access to credential files (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the path traversal vulnerability by requiring timely patching to version 1.6.4, which fixes the flawed get_file method.
Prevents exploitation by validating and sanitizing the input filename parameter to block path traversal sequences like '../' in the Guest module's Get controller.
Enforces application-level access controls to restrict unauthenticated file reads to authorized paths only, blocking arbitrary file disclosure.