Skip to main content

Inventree EUVDEUVD-2026-20592

| CVE-2026-35479 MEDIUM
Improper Authorization (CWE-285)
2026-04-08 security-advisories@github.com
6.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.6 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.2.7
EUVD ID Assigned
Apr 08, 2026 - 20:23 euvd
EUVD-2026-20592
Analysis Generated
Apr 08, 2026 - 20:23 vuln.today
CVE Published
Apr 08, 2026 - 20:16 nvd
MEDIUM 6.6

DescriptionGitHub Advisory

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions (such as uninstalling) which do require superuser access. The vulnerability allows staff users (who may be considered to have a lower level of trust than a superuser account) to install arbitrary (and potentially harmful) plugins. This vulnerability is fixed in 1.2.7 and 1.3.0.

AnalysisAI

InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without requiring superuser privileges, enabling privilege escalation and potential code execution. The vulnerability exists because plugin installation permissions are inconsistently enforced compared to other plugin operations (such as uninstallation) that correctly require superuser access. Staff users, typically considered lower-trust accounts than superusers, can exploit this to deploy malicious plugins with full application context. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

InvenTree's plugin system is a core extensibility mechanism for the inventory management platform. The vulnerability stems from inconsistent authorization enforcement in the plugin API endpoints-specifically the installation endpoint fails to validate that the requesting user holds superuser-level privileges, while uninstallation and other plugin management operations correctly enforce this requirement. The root cause is classified as CWE-285 (Improper Authorization), indicating that the API layer performs insufficient permission checks before allowing sensitive operations. The plugin API likely handles plugin download, validation, and installation as atomic operations without intermediate privilege gate-checks. Staff users, authenticated via the API with PR:H (high privileges within staff tier) per the CVSS vector, can call installation endpoints that bypass the superuser gate that should prevent installation of untrusted code.

RemediationAI

Upgrade InvenTree to version 1.2.7 or 1.3.0 or later. The patch corrects the authorization logic in the plugin installation API endpoint to require superuser privileges, consistent with other plugin management operations. Users unable to upgrade immediately should restrict API access to superuser accounts only and audit existing staff accounts for unauthorized plugin installations. Review the InvenTree threat model and plugin configuration documentation (referenced in advisories) to understand intended authorization boundaries and ensure organizational access controls align with the fixed privilege model. See GitHub security advisory GHSA-7c3q-vwcv-2vp7 for comprehensive remediation guidance.

CVE-2022-2112 HIGH POC
8.8 Jun 17

Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. Rated

CVE-2022-2111 HIGH POC
8.8 Jun 17

Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. Rated high seve

CVE-2022-2134 MEDIUM POC
6.5 Jun 20

Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. Rated medi

CVE-2022-3355 MEDIUM POC
5.4 Sep 29

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. Rated medium severity (CVSS

CVE-2022-2113 MEDIUM POC
5.4 Jun 17

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. Rated medium severity (CVSS

CVE-2026-35478 HIGH
8.3 Apr 08

Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API

CVE-2026-35476 HIGH
7.2 Apr 08

Privilege escalation in InvenTree inventory management system versions prior to 1.2.7 and 1.3.0 allows remote unauthenti

CVE-2026-27629 MEDIUM
5.9 Feb 25

InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch co

CVE-2024-47610 MEDIUM
5.4 Oct 07

InvenTree is an Open Source Inventory Management System. Rated medium severity (CVSS 5.4), this vulnerability is remotel

CVE-2026-33531 MEDIUM
4.9 Mar 26

InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authe

Share

EUVD-2026-20592 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy