CVE-2026-0649 identifies a server-side request forgery (SSRF) vulnerability in the InvoiceNinja invoicing software, affecting all versions up to 5.12.38. The vulnerability exists in the copy function within the /app/Jobs/Util/Import.php file, part of the Migration Import component. Specifically, the company_logo parameter is improperly validated or sanitized, allowing an attacker to supply a crafted URL or resource reference that the server will fetch. This can be exploited remotely without user interaction but requires the attacker to have high privileges on the system, indicating that some form of authentication or elevated access is necessary. The SSRF flaw enables attackers to coerce the server into making arbitrary HTTP or network requests, potentially accessing internal services, metadata endpoints, or other protected resources not normally reachable from outside the network. While no public patches or vendor responses have been issued, the vulnerability has been publicly disclosed, increasing the risk of exploitation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) reflects a medium severity rating with network attack vector, low attack complexity, no user interaction, but requiring high privileges. The impact includes possible information disclosure, internal network reconnaissance, and potential pivoting for further attacks. The lack of vendor response and public disclosure necessitate immediate attention by organizations using affected versions of InvoiceNinja.

The SSRF vulnerability in InvoiceNinja can have significant consequences for organizations relying on this software for financial and invoicing operations. Attackers with high privileges can exploit this flaw to make unauthorized requests from the vulnerable server to internal or external systems. This can lead to unauthorized access to sensitive internal services, exposure of confidential data, or interaction with cloud metadata services that may reveal credentials or configuration details. Additionally, SSRF can be a stepping stone for lateral movement within a network or for launching further attacks such as remote code execution if combined with other vulnerabilities. The impact is heightened in environments where InvoiceNinja is exposed to the internet or integrated with critical internal systems. The absence of vendor patches and public exploit code increases the urgency for organizations to implement mitigations. Overall, this vulnerability threatens confidentiality and integrity, with a moderate impact on availability.

To mitigate CVE-2026-0649, organizations should first upgrade InvoiceNinja to a version where this vulnerability is patched once available. In the absence of an official patch, implement strict input validation and sanitization on the company_logo parameter to prevent malicious URLs or payloads. Restrict the server's outbound network access using firewall rules or network segmentation to limit requests only to trusted destinations, thereby reducing the SSRF attack surface. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious SSRF patterns targeting the vulnerable endpoint. Monitor logs for unusual outbound requests originating from the InvoiceNinja server. Limit user privileges to the minimum necessary to reduce the risk of high-privilege exploitation. Consider isolating the InvoiceNinja instance in a restricted network zone to prevent access to sensitive internal resources. Finally, maintain vigilant threat intelligence monitoring for any emerging exploit code or vendor advisories.