Skip to main content

Inventree CVE-2026-35478

| EUVDEUVD-2026-20590 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-08 security-advisories@github.com
8.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 20, 2026 - 15:22 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:01 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.2.7
EUVD ID Assigned
Apr 08, 2026 - 20:23 euvd
EUVD-2026-20590
Analysis Generated
Apr 08, 2026 - 20:23 vuln.today
CVE Published
Apr 08, 2026 - 20:16 nvd
HIGH 8.3

DescriptionGitHub Advisory

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system - including administrators and superusers - by supplying the target's user ID in the user field of a POST /api/user/tokens/ request. The returned token is immediately usable for full API authentication as the target user, from any network location, with no further interaction required. This vulnerability is fixed in 1.2.7 and 1.3.0.

AnalysisAI

Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API tokens for arbitrary users, including administrators, enabling complete account takeover. Affected versions 0.16.0 through 1.2.6 permit low-privileged users to forge API credentials by manipulating the user field in POST requests to /api/user/tokens/. Resulting tokens provide full API access from any network location without requiring victim interaction. No public exploit identified at time of analysis.

Technical ContextAI

Broken access control in token generation endpoint fails to validate user field parameter against authenticated session identity (CWE-639: Authorization Bypass Through User-Controlled Key). API endpoint accepts arbitrary user_id values in POST body, creating valid JWT or session tokens for targeted accounts without authorization checks, enabling horizontal and vertical privilege escalation through forged credential issuance.

RemediationAI

Vendor-released patch: upgrade immediately to InvenTree version 1.2.7 or 1.3.0, which enforce proper authorization checks preventing token generation for non-owned user accounts. No workaround exists for unpatched installations; applying the security update is mandatory. Organizations unable to upgrade immediately should restrict API access to trusted networks only and audit all API tokens created since version 0.16.0 deployment for unauthorized credential issuance. Revoke any tokens created by users other than the token owner. Full vendor security advisory available at https://github.com/inventree/InvenTree/security/advisories/GHSA-qh5j-c28q-c4rg with additional technical details and remediation guidance.

CVE-2022-2112 HIGH POC
8.8 Jun 17

Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. Rated

CVE-2022-2111 HIGH POC
8.8 Jun 17

Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. Rated high seve

CVE-2022-2134 MEDIUM POC
6.5 Jun 20

Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. Rated medi

CVE-2022-3355 MEDIUM POC
5.4 Sep 29

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. Rated medium severity (CVSS

CVE-2022-2113 MEDIUM POC
5.4 Jun 17

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. Rated medium severity (CVSS

CVE-2026-35476 HIGH
7.2 Apr 08

Privilege escalation in InvenTree inventory management system versions prior to 1.2.7 and 1.3.0 allows remote unauthenti

CVE-2026-35479 MEDIUM
6.6 Apr 08

InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without re

CVE-2026-27629 MEDIUM
5.9 Feb 25

InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch co

CVE-2024-47610 MEDIUM
5.4 Oct 07

InvenTree is an Open Source Inventory Management System. Rated medium severity (CVSS 5.4), this vulnerability is remotel

CVE-2026-33531 MEDIUM
4.9 Mar 26

InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authe

Share

CVE-2026-35478 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy