CVE-2026-33531
Path Traversal in InvenTree Report Template Engine Allows File Access
Publication date: 2026-03-26
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inventree_project | inventree | to 1.2.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33531 is a path traversal vulnerability in the InvenTree Open Source Inventory Management System prior to version 1.2.6. It affects the report template engine, specifically the functions encode_svg_image(), asset(), and uploaded_image() in the report.py file. A staff-level user who can upload or edit report templates can craft malicious template tags to read arbitrary files from the server filesystem.
If the InvenTree installation runs with high privileges on the host system, this vulnerability may allow access to files outside the InvenTree source directory. The issue was fixed in versions 1.2.6 and 1.3.0 by refactoring the affected functions to use Django's storage backend APIs instead of direct filesystem access, thereby mitigating the path traversal risk.
How can this vulnerability impact me? :
This vulnerability allows a staff-level user with the ability to upload or edit report templates to read arbitrary files on the server filesystem. If the InvenTree process runs with elevated privileges, this could lead to unauthorized access to sensitive files outside the application directory.
However, exploitation requires authenticated staff-level access, and no user interaction beyond that is necessary. The vulnerability is rated as low severity with no direct impact on confidentiality, integrity, or availability according to CVSS metrics.
Users should update to the patched versions 1.2.6 or later to mitigate this risk, as no known workarounds exist.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability requires a staff-level user to upload or edit report templates with maliciously crafted template tags to exploit path traversal. Detection involves monitoring for unauthorized or suspicious template uploads or edits within the InvenTree system.
Since the vulnerability is in specific functions (`encode_svg_image()`, `asset()`, and `uploaded_image()`) in the report template engine, reviewing logs or audit trails for template changes or uploads by staff users may help detect attempts.
No specific detection commands or network signatures are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the InvenTree installation to version 1.2.6, 1.3.0, or later, where the vulnerability has been patched.
Avoid running the InvenTree process with elevated privileges on the host system, as this reduces the risk of file access outside the source directory.
There are no known workarounds available, so updating to a patched version is essential.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags if the InvenTree installation is configured with high access privileges. This unauthorized file access could potentially expose sensitive data stored on the server.
Such unauthorized access to sensitive files may impact compliance with data protection regulations like GDPR or HIPAA, which require strict controls on access to personal or protected health information. However, the vulnerability requires authenticated staff-level access and no user interaction beyond that.
The issue is patched in versions 1.2.6 and later, and users are advised to update to these versions to mitigate the risk.