An authenticated user in InvenTree can create a new API token that is attributed to any target user by providing that user's ID in the token creation request. The created token is instantly usable for API authentication, allowing the requester to fully impersonate the target user, including administrators and superusers, from any network location with no further interaction. This results in complete control over the system for the impersonated account and aligns with the weakness defined as Authorization Bypass Through Privilege Escalation (CWE-639).

InvenTree, an open‑source inventory management system, is affected for releases from version 0.16.0 through any pre‑1.2.7 release. Users of these versions, regardless of role, can create arbitrary tokens for any other user. The vulnerability is fixed in releases 1.2.7 and 1.3.0.

The flaw carries a CVSS v3 score of 8.3, indicating high severity. It does not currently appear in the CISA KEV catalog and EPSS data is unavailable, so the exact likelihood of exploitation is unknown. The attack vector requires only that the attacker be authenticated to the system; thereafter the token creation endpoint can be called to generate a valid token for any user. Once obtained, the token grants full API‑level access, enabling data exfiltration, configuration changes, or potential further lateral movement if integrated with other services.