Executive Summary

CVE-2026-33530 is a high-severity vulnerability in InvenTree versions prior to 1.2.6 that affects certain API endpoints used for bulk data operations.

These endpoints accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any allowlisting of fields.

This lack of validation allows any authenticated user to exploit Django’s double underscore ("__") lookup syntax to traverse model relationships and perform blind boolean-based data extraction.

As a result, an attacker can hijack the API endpoints to exfiltrate sensitive information from the database.

The issue is patched in InvenTree versions 1.2.6 and above, and no known workarounds exist.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any authenticated user with low privileges to exfiltrate sensitive information from the database by abusing bulk data operation API endpoints.

The attack requires no user interaction and can be performed remotely over the network.

The impact is primarily on confidentiality, as sensitive data can be extracted without authorization.

There is no impact on data integrity or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves exploitation of certain API endpoints in InvenTree that accept a filters parameter allowing traversal of model relationships via Django's __ lookup syntax. Detection would involve monitoring for unusual or unauthorized API requests to endpoints such as /api/part/, /api/stock/, or /api/order/so/allocation/ that include suspicious filter parameters containing double underscores (__).

Since the vulnerability requires an authenticated user to send specially crafted requests, detection can focus on analyzing API request logs for filter parameters with unusual patterns or unexpected field traversals.

Specific commands are not provided in the available resources, but network or system administrators can use tools like curl or HTTP request log analysis to identify requests with filters containing double underscore syntax.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation step is to upgrade InvenTree to version 1.2.6 or above, where this vulnerability has been patched.

No known workarounds are available, so updating to the fixed versions is essential to prevent exploitation.

The patch includes restricting the bulk operation API endpoints to the base view queryset, removing the ability to provide arbitrary filters, and eliminating feedback that could leak information.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows authenticated users to exfiltrate sensitive information from the database by exploiting API endpoints without proper filtering validation. Such unauthorized data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls on access to and protection of sensitive personal and health information.

Because the vulnerability results in a high confidentiality impact by enabling data leakage, organizations using affected versions of InvenTree may face compliance risks if sensitive data is exposed or accessed improperly.

The issue is patched in versions 1.2.6 and above, and users are advised to upgrade to these versions to mitigate the risk and maintain compliance with relevant data protection standards.

Useful 0 Not Useful 0