CVE-2026-35476
Privilege Escalation in InvenTree via Misconfigured API Permissions
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inventree_project | inventree | to 1.2.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35476 is a high-severity privilege escalation vulnerability in InvenTree versions prior to 1.2.7 and 1.3.0. It occurs because the user account API endpoint has improperly configured write permissions, allowing any authenticated non-staff user to elevate their account privileges to staff level by sending a specially crafted POST request.
Exploitation requires valid user authentication but involves low attack complexity and no user interaction.
How can this vulnerability impact me? :
This vulnerability allows an authenticated non-staff user to escalate their privileges to staff level, which can lead to unauthorized access to sensitive functions or data within the InvenTree system.
The impact affects confidentiality and integrity at a low level but does not affect system availability.
Because the scope is changed, the elevated privileges can potentially allow the attacker to perform actions reserved for staff users, compromising the security of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for POST requests to the user account API endpoint that attempt to change the staff status of a user. Specifically, look for authenticated non-staff users sending crafted POST requests that modify their own staff privileges.
Commands to detect such activity would involve inspecting web server logs or using network monitoring tools to filter POST requests targeting the user account endpoint with parameters related to staff status changes.
- Use tools like curl or HTTP request log analysis to identify suspicious POST requests modifying staff status.
- Example command to search logs for POST requests to the user account endpoint (assuming logs are in access.log):
- grep 'POST /api/user' access.log | grep 'staff=true'
- Use network monitoring tools like Wireshark or tcpdump to capture and analyze HTTP POST traffic to the user account API endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a non-staff authenticated user to elevate their privileges to staff level, impacting confidentiality and integrity at a low level. This unauthorized privilege escalation could potentially lead to unauthorized access to sensitive data or system functions.
Such unauthorized access and privilege escalation may conflict with compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive data to protect confidentiality and integrity.
However, the provided information does not explicitly discuss the direct impact on compliance with these standards or any specific regulatory implications.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade InvenTree to version 1.2.7 or 1.3.0, where this vulnerability has been fixed.
No workarounds are available, so patching is the only effective mitigation.
Additionally, restrict access to the user account API endpoint to trusted users only, if possible, until the upgrade can be applied.