CVE-2026-35479 - Vulnerability Details

- InvenTree Plugin Installation - Insufficient Permissions

Description

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions (such as uninstalling) which do require superuser access. The vulnerability allows staff users (who may be considered to have a lower level of trust than a superuser account) to install arbitrary (and potentially harmful) plugins. This vulnerability is fixed in 1.2.7 and 1.3.0.

Published: 2026-04-08

Score: 6.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows users with staff-level permissions in InvenTree to install plugins through the API without requiring superuser rights. This deviation from the expected privilege model permits the deployment of arbitrary or malicious plugins, potentially enabling an attacker to execute arbitrary code, modify inventory data, or disrupt operations. The weakness is categorized as CWE‑285, Abuse of Privilege. If exploited, the attacker can gain administrative influence over the system’s plugins, leading to confidentiality, integrity, and availability impacts.

Affected Systems

Any InvenTree installation running a version earlier than 1.2.7 for the 1.2 series or earlier than 1.3.0 for the 1.3 series is vulnerable. The issue is specific to the InvenTree product. Users should verify the deployed version and ensure they are running a patched release.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity. No EPSS score is available, and the flaw is not listed in CISA’s KEV catalog, suggesting limited evidence of recent exploitation. The attack likely proceeds via an authenticated API call made by a staff user; no external network escalation is required beyond the existing staff credentials. The exploitability is therefore contingent on staff accounts having active API access, which many installations provide for routine operations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

inventree

InvenTree

affected

Version	Status	Constraints
`< 1.2.7`	affected	—

No data.

Vendor Product Confidence Versions

Inventree

100%

Version	Status	Scheme	Platform
`[0,1.2.7)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade InvenTree to version 1.2.7 or 1.3.0 to apply the vendor fix
Confirm that only superusers retain the ability to install plugins via the API
Review the source and integrity of all installed plugins and remove any untrusted additions
Consider tightening API access controls to restrict plugin installation to privileged accounts
Implement monitoring for anomalous plugin installation activity by staff users

Generated by OpenCVE AI on April 8, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust
https://docs.inventree.org/en/stable/start/config/#plugin-options
https://github.com/inventree/InvenTree/security/advisories/GHSA-7c3q-vwcv-2vp7

History

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Inventree Inventree inventree
Vendors & Products		Inventree Inventree inventree

Wed, 08 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions (such as uninstalling) which do require superuser access. The vulnerability allows staff users (who may be considered to have a lower level of trust than a superuser account) to install arbitrary (and potentially harmful) plugins. This vulnerability is fixed in 1.2.7 and 1.3.0.
Title		InvenTree Plugin Installation - Insufficient Permissions
Weaknesses		CWE-285
References		https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust https://docs.inventree.org/en/stable/start/config/#plugin-options https://github.com/inventree/InvenTree/security/advisories/GHSA-7c3q-vwcv-2vp7
Metrics		cvssV3_1 `{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}`

Subscriptions

Inventree Inventree

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-08T19:27:57.320Z

Updated: 2026-04-09T14:16:36.423Z

Reserved: 2026-04-02T20:49:44.453Z

Link: CVE-2026-35479

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-08T20:16:24.770

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-35479

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:27:40Z

Weaknesses

CWE-285

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object