EUVD-2026-20596
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There is no validation against private IP ranges or internal hostnames. Redirects are followed (allow_redirects=True), enabling bypass of any URL-format checks. This vulnerability is fixed in 1.2.7 and 1.3.0.
Analysis
Server-side request forgery (SSRF) in InvenTree prior to versions 1.2.7 and 1.3.0 allows authenticated users to request arbitrary internal URLs when the INVENTREE_DOWNLOAD_FROM_URL feature is enabled, bypassing URL validation through HTTP redirect chains. An attacker with valid credentials can probe internal networks, access cloud metadata endpoints, or interact with backend services not exposed to the public internet by supplying crafted remote_image URLs that are fetched server-side without IP-range restrictions.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today