Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions (such as uninstalling) which do require superuser access. The vulnerability allows staff users (who may be considered to have a lower level of trust than a superuser account) to install arbitrary (and potentially harmful) plugins. This vulnerability is fixed in 1.2.7 and 1.3.0.
AnalysisAI
InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without requiring superuser privileges, enabling privilege escalation and potential code execution. The vulnerability exists because plugin installation permissions are inconsistently enforced compared to other plugin operations (such as uninstallation) that correctly require superuser access. Staff users, typically considered lower-trust accounts than superusers, can exploit this to deploy malicious plugins with full application context. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
InvenTree's plugin system is a core extensibility mechanism for the inventory management platform. The vulnerability stems from inconsistent authorization enforcement in the plugin API endpoints-specifically the installation endpoint fails to validate that the requesting user holds superuser-level privileges, while uninstallation and other plugin management operations correctly enforce this requirement. The root cause is classified as CWE-285 (Improper Authorization), indicating that the API layer performs insufficient permission checks before allowing sensitive operations. The plugin API likely handles plugin download, validation, and installation as atomic operations without intermediate privilege gate-checks. Staff users, authenticated via the API with PR:H (high privileges within staff tier) per the CVSS vector, can call installation endpoints that bypass the superuser gate that should prevent installation of untrusted code.
RemediationAI
Upgrade InvenTree to version 1.2.7 or 1.3.0 or later. The patch corrects the authorization logic in the plugin installation API endpoint to require superuser privileges, consistent with other plugin management operations. Users unable to upgrade immediately should restrict API access to superuser accounts only and audit existing staff accounts for unauthorized plugin installations. Review the InvenTree threat model and plugin configuration documentation (referenced in advisories) to understand intended authorization boundaries and ensure organizational access controls align with the fixed privilege model. See GitHub security advisory GHSA-7c3q-vwcv-2vp7 for comprehensive remediation guidance.
Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. Rated
Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. Rated high seve
Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. Rated medi
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. Rated medium severity (CVSS
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. Rated medium severity (CVSS
Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API
Privilege escalation in InvenTree inventory management system versions prior to 1.2.7 and 1.3.0 allows remote unauthenti
InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch co
InvenTree is an Open Source Inventory Management System. Rated medium severity (CVSS 5.4), this vulnerability is remotel
InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authe
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20592