Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
8DescriptionGitHub Advisory
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status. This vulnerability is fixed in 1.2.7 and 1.3.0.
AnalysisAI
Privilege escalation in InvenTree inventory management system versions prior to 1.2.7 and 1.3.0 allows remote unauthenticated attackers to elevate any user account to staff level through improperly secured API endpoints. Exploitation requires no special conditions beyond network access and enables unauthorized administrative access to inventory management functions. EPSS score of 0.03% (8th percentile) indicates low observed exploitation likelihood, and SSVC assessment confirms no known exploitation with non-automatable attack requiring user account creation first.
Technical ContextAI
InvenTree is an open-source inventory management platform built with Django and Django REST Framework. This vulnerability stems from CWE-285 (Improper Authorization), specifically inadequate access controls on user account modification API endpoints. The REST API framework's permission classes were misconfigured to allow write operations on the user profile endpoint without proper staff-level authorization checks. This architectural flaw permits POST requests containing privilege escalation payloads to succeed when they should be restricted to existing staff accounts or system administrators. The vulnerability affects the user serializer and view logic that handles account attribute updates, where the 'is_staff' boolean field modification was not properly gated behind administrative permission validators.
RemediationAI
Upgrade immediately to InvenTree version 1.2.7 or 1.3.0, both confirmed patched releases per GitHub security advisory GHSA-r8q5-3595-3jh2. Organizations running 1.2.x stable branch should update to 1.2.7; those on 1.3.x development track should update to 1.3.0 or later. Follow upgrade procedures at vendor documentation and verify user permission configurations post-upgrade. If immediate patching is not feasible, implement network-level access controls restricting API endpoint access to trusted IP ranges and deploy a reverse proxy (nginx, Apache) with request filtering rules to block PUT/POST/PATCH requests to /api/user/{id}/ endpoints from non-administrative source addresses - this workaround introduces operational overhead requiring whitelist maintenance for legitimate administrative access and may break mobile applications or distributed workflows. Additionally, conduct immediate audit of user accounts for unauthorized staff privilege assignments using Django admin interface or database queries against auth_user table filtering is_staff=true, revoking elevated privileges from accounts created or modified within vulnerable window. Note that access control workarounds do not address the underlying authorization flaw and should be considered temporary compensating controls only.
Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. Rated
Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. Rated high seve
Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. Rated medi
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. Rated medium severity (CVSS
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. Rated medium severity (CVSS
Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API
InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without re
InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch co
InvenTree is an Open Source Inventory Management System. Rated medium severity (CVSS 5.4), this vulnerability is remotel
InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authe
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20586