CVE-2026-39362 - Vulnerability Details

- InvenTree has SSRF via Remote Image Download — No IP/Hostname Validation on remote_image URLs

Description

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There is no validation against private IP ranges or internal hostnames. Redirects are followed (allow_redirects=True), enabling bypass of any URL-format checks. This vulnerability is fixed in 1.2.7 and 1.3.0.

Published: 2026-04-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

InvenTree permits authenticated users to upload images by specifying a remote_image URL. The URLs are retrieved server‑side with requests.get() using only Django’s URLValidator, which does not validate against private IP ranges or internal hostnames. Redirects are automatically followed, allowing an attacker to point the download to an internal resource or a private IP address. The result is a classic SSRF where the InvenTree server can be coerced into making arbitrary HTTP requests, exposing internal data or enabling further network reconnaissance.

Affected Systems

The vulnerability affects the InvenTree inventory management application. All versions prior to 1.2.7 and 1.3.0 are impacted when the INVENTREE_DOWNLOAD_FROM_URL feature is enabled. Users running earlier releases should update to the patched versions to eliminate the flaw.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate security impact. The EPSS score is not provided, and the flaw is not listed in the CISA KEV catalog, implying it has not been widely exploited. The attack requires an authenticated user with the download feature enabled, but does not require advanced access. Once authenticated, an attacker can supply a malicious remote_image URL and force the InvenTree server to resolve private or internal addresses, potentially leaking sensitive information or facilitating additional attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

inventree

InvenTree

affected

Version	Status	Constraints
`< 1.2.7`	affected	—

No data.

Vendor Product Confidence Versions

Inventree

100%

Version	Status	Scheme	Platform
`[0,1.2.7)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade InvenTree to version 1.2.7 or 1.3.0 as soon as possible.
If an upgrade cannot be performed immediately, disable the INVENTREE_DOWNLOAD_FROM_URL setting to block remote image fetching.
Restrict outbound traffic from the InvenTree server to trusted domains or block internal IP ranges using a firewall.
Monitor application logs for suspicious remote_image requests and verify that no internal resources are being accessed.

Generated by OpenCVE AI on April 8, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/inventree/InvenTree/security/advisories/GHSA-m9j7-jw3m-fr22

History

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Inventree Inventree inventree
Vendors & Products		Inventree Inventree inventree

Wed, 08 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There is no validation against private IP ranges or internal hostnames. Redirects are followed (allow_redirects=True), enabling bypass of any URL-format checks. This vulnerability is fixed in 1.2.7 and 1.3.0.
Title		InvenTree has SSRF via Remote Image Download — No IP/Hostname Validation on remote_image URLs
Weaknesses		CWE-918
References		https://github.com/inventree/InvenTree/security/advisories/GHSA-m9j7-jw3m-fr22
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

Subscriptions

Inventree Inventree

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-08T19:32:46.744Z

Updated: 2026-04-08T19:32:46.744Z

Reserved: 2026-04-06T21:29:17.349Z

Link: CVE-2026-39362

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-08T20:16:25.077

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39362

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:27:38Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object