Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
7DescriptionGitHub Advisory
InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system - including administrators and superusers - by supplying the target's user ID in the user field of a POST /api/user/tokens/ request. The returned token is immediately usable for full API authentication as the target user, from any network location, with no further interaction required. This vulnerability is fixed in 1.2.7 and 1.3.0.
AnalysisAI
Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API tokens for arbitrary users, including administrators, enabling complete account takeover. Affected versions 0.16.0 through 1.2.6 permit low-privileged users to forge API credentials by manipulating the user field in POST requests to /api/user/tokens/. Resulting tokens provide full API access from any network location without requiring victim interaction. No public exploit identified at time of analysis.
Technical ContextAI
Broken access control in token generation endpoint fails to validate user field parameter against authenticated session identity (CWE-639: Authorization Bypass Through User-Controlled Key). API endpoint accepts arbitrary user_id values in POST body, creating valid JWT or session tokens for targeted accounts without authorization checks, enabling horizontal and vertical privilege escalation through forged credential issuance.
RemediationAI
Vendor-released patch: upgrade immediately to InvenTree version 1.2.7 or 1.3.0, which enforce proper authorization checks preventing token generation for non-owned user accounts. No workaround exists for unpatched installations; applying the security update is mandatory. Organizations unable to upgrade immediately should restrict API access to trusted networks only and audit all API tokens created since version 0.16.0 deployment for unauthorized credential issuance. Revoke any tokens created by users other than the token owner. Full vendor security advisory available at https://github.com/inventree/InvenTree/security/advisories/GHSA-qh5j-c28q-c4rg with additional technical details and remediation guidance.
Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. Rated
Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. Rated high seve
Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. Rated medi
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. Rated medium severity (CVSS
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. Rated medium severity (CVSS
Privilege escalation in InvenTree inventory management system versions prior to 1.2.7 and 1.3.0 allows remote unauthenti
InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without re
InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch co
InvenTree is an Open Source Inventory Management System. Rated medium severity (CVSS 5.4), this vulnerability is remotel
InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authe
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20590