Skip to main content

Inventree CVE-2026-35476

| EUVDEUVD-2026-20586 HIGH
Improper Authorization (CWE-285)
2026-04-08 security-advisories@github.com
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

8
Analysis Updated
Apr 21, 2026 - 13:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 21, 2026 - 13:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:01 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.2.7
EUVD ID Assigned
Apr 08, 2026 - 20:23 euvd
EUVD-2026-20586
Analysis Generated
Apr 08, 2026 - 20:23 vuln.today
CVE Published
Apr 08, 2026 - 20:16 nvd
HIGH 7.2

DescriptionGitHub Advisory

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status. This vulnerability is fixed in 1.2.7 and 1.3.0.

AnalysisAI

Privilege escalation in InvenTree inventory management system versions prior to 1.2.7 and 1.3.0 allows remote unauthenticated attackers to elevate any user account to staff level through improperly secured API endpoints. Exploitation requires no special conditions beyond network access and enables unauthorized administrative access to inventory management functions. EPSS score of 0.03% (8th percentile) indicates low observed exploitation likelihood, and SSVC assessment confirms no known exploitation with non-automatable attack requiring user account creation first.

Technical ContextAI

InvenTree is an open-source inventory management platform built with Django and Django REST Framework. This vulnerability stems from CWE-285 (Improper Authorization), specifically inadequate access controls on user account modification API endpoints. The REST API framework's permission classes were misconfigured to allow write operations on the user profile endpoint without proper staff-level authorization checks. This architectural flaw permits POST requests containing privilege escalation payloads to succeed when they should be restricted to existing staff accounts or system administrators. The vulnerability affects the user serializer and view logic that handles account attribute updates, where the 'is_staff' boolean field modification was not properly gated behind administrative permission validators.

RemediationAI

Upgrade immediately to InvenTree version 1.2.7 or 1.3.0, both confirmed patched releases per GitHub security advisory GHSA-r8q5-3595-3jh2. Organizations running 1.2.x stable branch should update to 1.2.7; those on 1.3.x development track should update to 1.3.0 or later. Follow upgrade procedures at vendor documentation and verify user permission configurations post-upgrade. If immediate patching is not feasible, implement network-level access controls restricting API endpoint access to trusted IP ranges and deploy a reverse proxy (nginx, Apache) with request filtering rules to block PUT/POST/PATCH requests to /api/user/{id}/ endpoints from non-administrative source addresses - this workaround introduces operational overhead requiring whitelist maintenance for legitimate administrative access and may break mobile applications or distributed workflows. Additionally, conduct immediate audit of user accounts for unauthorized staff privilege assignments using Django admin interface or database queries against auth_user table filtering is_staff=true, revoking elevated privileges from accounts created or modified within vulnerable window. Note that access control workarounds do not address the underlying authorization flaw and should be considered temporary compensating controls only.

CVE-2022-2112 HIGH POC
8.8 Jun 17

Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. Rated

CVE-2022-2111 HIGH POC
8.8 Jun 17

Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. Rated high seve

CVE-2022-2134 MEDIUM POC
6.5 Jun 20

Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. Rated medi

CVE-2022-3355 MEDIUM POC
5.4 Sep 29

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. Rated medium severity (CVSS

CVE-2022-2113 MEDIUM POC
5.4 Jun 17

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. Rated medium severity (CVSS

CVE-2026-35478 HIGH
8.3 Apr 08

Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API

CVE-2026-35479 MEDIUM
6.6 Apr 08

InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without re

CVE-2026-27629 MEDIUM
5.9 Feb 25

InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch co

CVE-2024-47610 MEDIUM
5.4 Oct 07

InvenTree is an Open Source Inventory Management System. Rated medium severity (CVSS 5.4), this vulnerability is remotel

CVE-2026-33531 MEDIUM
4.9 Mar 26

InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authe

Share

CVE-2026-35476 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy