What the vulnerability does
01Description
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.8.
Explanation of Vulnerability in Simple Terms
02Summary
Client Invoicing by Sprout Invoices versions 20.8.8 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify invoice data over the network. No user interaction is required. The vulnerability affects data integrity but not confidentiality or availability.
What an attacker can do
03Attacker Capabilities
Modify invoice records without authentication.
Potential impact on your site
04Site Impact
Invoices can be altered by anyone with network access, risking financial record tampering.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
April 28, 2026
Record updated