How to fix CVE-2026-33530?

Within 24 hours: Identify all InvenTree deployments and document current versions. Within 7 days: Upgrade to InvenTree 1.2.6 or 1.3.0 (or later); verify patch installation in non-production environments first. Within 30 days: Conduct access review of low-privileged API accounts and implement audit logging for bulk operation endpoints; assess what sensitive data may have been exposed and notify relevant stakeholders per data protection policies.

Is Python affected by CVE-2026-33530?

InvenTree inventory management systems versions prior to 1.2.6 contain a data exfiltration vulnerability allowing authenticated users with low-level access to extract sensitive database information through malicious API requests.

CVE-2026-33530

EUVD-2026-16359 HIGH

2026-03-26 GitHub_M

7.7

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 26, 2026 - 20:00 euvd

EUVD-2026-16359

Analysis Generated

Mar 26, 2026 - 20:00 vuln.today

CVE Published

Mar 26, 2026 - 19:34 nvd

HIGH 7.7

Description

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.

Analysis

Authenticated attackers with low-level privileges can exfiltrate sensitive database information from InvenTree open source inventory management systems prior to version 1.2.6 by abusing unvalidated filter parameters in bulk operation API endpoints. The vulnerability enables blind boolean-based data extraction through Django ORM relationship traversal, achieving high confidentiality impact with changed scope per CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (score 7.7). …

Remediation

Within 24 hours: Identify all InvenTree deployments and document current versions. Within 7 days: Upgrade to InvenTree 1.2.6 or 1.3.0 (or later); verify patch installation in non-production environments first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2026-33530 vulnerability details – vuln.today

Back

CVE-2026-33530

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-33530

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code