Scan free
HIGHCVE-2026-35476CVSS 7.2

CVE-2026-35476: Privilege Escalation in InvenTree

Platform

php

Component

inventree

Fixed in

1.2.8

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-35476 describes a Privilege Escalation vulnerability discovered in InvenTree, an open-source inventory management system. This flaw allows a non-staff user, after authentication, to elevate their account privileges to a staff level, granting them broader access and control within the system. The vulnerability impacts versions 1.2.0 through 1.2.6 and is resolved in versions 1.2.7 and 1.3.0.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-35476 allows an attacker to bypass access controls and gain staff-level privileges within InvenTree. This could lead to unauthorized modification of inventory data, creation of new users with elevated permissions, and potentially complete control over the system's configuration. The impact is particularly severe as it requires only authentication, making it accessible to anyone who can log in to the system. A malicious insider or a compromised user account could leverage this vulnerability to cause significant disruption and data breaches.

Exploitation Context

CVE-2026-35476 was publicly disclosed on 2026-04-08. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not currently listed on CISA KEV, and its EPSS score is likely low given the lack of public exploitation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.04% (11% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N7.2HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentinventree
Vendorinventree
Affected rangeFixed in
< 1.2.7 – < 1.2.71.2.8

Weakness Classification (CWE)

CWE-285

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-35476 is to immediately upgrade InvenTree to version 1.2.7 or 1.3.0, which contains the fix. If upgrading is not immediately feasible, consider implementing stricter access controls and input validation on the user account endpoint. While not a complete solution, restricting write permissions on this endpoint can reduce the attack surface. Review InvenTree's API documentation for best practices on secure endpoint configuration. After upgrading, verify the fix by attempting to elevate a non-staff user account to staff status via a POST request to the user account endpoint; the request should be rejected.

How to fix

Update InvenTree to version 1.2.7 or higher to fix the privilege escalation vulnerability. The update corrects the improper write permissions configuration on the API, preventing unauthorized users from changing their staff status.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-35476 — Privilege Escalation in InvenTree?

CVE-2026-35476 is a vulnerability in InvenTree versions 1.2.0 through 1.2.6 that allows authenticated, non-staff users to elevate their account privileges to staff level, potentially granting unauthorized access.

Am I affected by CVE-2026-35476 in InvenTree?

You are affected if you are running InvenTree versions 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, or 1.2.6. Upgrade to 1.2.7 or 1.3.0 to resolve the issue.

How do I fix CVE-2026-35476 in InvenTree?

The recommended fix is to upgrade InvenTree to version 1.2.7 or 1.3.0. As a temporary workaround, restrict write permissions on the user account endpoint.

Is CVE-2026-35476 being actively exploited?

As of now, there are no confirmed reports of active exploitation of CVE-2026-35476, but it's crucial to apply the patch promptly.

Where can I find the official InvenTree advisory for CVE-2026-35476?

Refer to the InvenTree security advisories on their official website or GitHub repository for the latest information and updates regarding CVE-2026-35476.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs