Description
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status. This vulnerability is fixed in 1.2.7 and 1.3.0.
Published: 2026-04-08
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

A misconfigured API endpoint in InvenTree allows any authenticated non‑staff user to change their own staff flag via a POST request to the user account endpoint. This improper write permission results in unauthorized elevation of privileges, effectively granting the attacker full administrative control over the system. The weakness is categorized as CWE‑285: Improper Authorization.

Affected Systems

The vulnerability affects InvenTree installations running any version before 1.2.7 or 1.3.0. The affected product is the open source inventory management system developed by Inventree, Inc. No other versions or products are listed as impacted.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity issue. EPSS data is unavailable, but the lack of an official CISA KEV listing does not diminish the risk; the flaw can be exploited by any user who can obtain a normal account. The likely attack vector is a remote HTTP API request, requiring only authentication as a regular user. Once the exploit is executed, the attacker immediately gains staff privileges, compromising confidentiality, integrity, and availability of the entire system.

Generated by OpenCVE AI on April 8, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade InvenTree to version 1.2.7 or 1.3.0 or later where the issue is fixed.
  • If an upgrade is not possible immediately, modify the API permission settings to remove write access to the staff status field for non‑staff users.
  • Apply any additional hardening such as restricting API access to trusted IP ranges.
  • Verify after changes that non‑staff users can no longer alter their staff status via the API.
  • Monitor logs for attempts to modify staff status in future users.

Generated by OpenCVE AI on April 8, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Inventree
Inventree inventree
Vendors & Products Inventree
Inventree inventree

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status. This vulnerability is fixed in 1.2.7 and 1.3.0.
Title InvenTree Affected by Privilege Escalation via API
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Inventree Inventree
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T19:53:28.982Z

Reserved: 2026-04-02T20:49:44.453Z

Link: CVE-2026-35476

cve-icon Vulnrichment

Updated: 2026-04-08T19:53:26.494Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T20:16:24.323

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-35476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:41Z

Weaknesses