Scan free
MEDIUMCVE-2026-35479CVSS 6.6

CVE-2026-35479: Plugin Installation Vulnerability in InvenTree

Platform

php

Component

inventree

Fixed in

1.2.8

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-35479 is a vulnerability in InvenTree, an open-source inventory management system. It allows users with staff access permissions to install plugins via the API, bypassing the usual superuser requirement. This misconfiguration could lead to the installation of malicious plugins, potentially compromising the system's integrity and data. The vulnerability impacts versions 1.2.0 through 1.2.6 and is resolved in versions 1.2.7 and 1.3.0.

Impact and Attack Scenarios

The primary impact of CVE-2026-35479 is the ability for unauthorized users to install arbitrary plugins within the InvenTree system. A malicious actor, posing as a staff user, could upload a plugin containing malicious code designed to steal sensitive inventory data, modify records, or even gain further access to the underlying server. The blast radius extends to any data stored within InvenTree, including product details, supplier information, and potentially user credentials. While the vulnerability requires staff-level access, this access is often granted to a wider range of users than superuser accounts, increasing the potential attack surface. This vulnerability highlights a critical flaw in the plugin management process, allowing for privilege escalation through seemingly benign actions.

Exploitation Context

CVE-2026-35479 was publicly disclosed on 2026-04-08. There is no indication of this vulnerability being actively exploited at the time of writing. It is not currently listed on CISA KEV. The availability of a relatively straightforward bypass of plugin installation restrictions suggests a moderate risk of exploitation if the vulnerability becomes widely known and a suitable malicious plugin is developed. Public proof-of-concept code is not currently available.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.03% (10% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L6.6MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentinventree
Vendorinventree
Affected rangeFixed in
< 1.2.7 – < 1.2.71.2.8

Weakness Classification (CWE)

CWE-285

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-35479 is to immediately upgrade InvenTree to version 1.2.7 or 1.3.0, which addresses the flawed permission check. If upgrading is not immediately feasible, consider implementing stricter access controls within InvenTree to limit the number of users with staff permissions. Review existing plugins for any signs of compromise. While a direct WAF rule is unlikely to be effective, monitoring API endpoints related to plugin installation for unusual activity could provide early warning signs. Regularly audit user permissions and plugin installations to ensure compliance with security best practices. After upgrading, confirm the fix by attempting to install a plugin with a standard staff account – it should be denied.

How to fix

Update InvenTree to version 1.2.7 or higher to mitigate the vulnerability. This update corrects the inadequate permissions for plugin installation via the API, now requiring superuser privileges.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-35479 — Plugin Installation Vulnerability in InvenTree?

CVE-2026-35479 is a vulnerability in InvenTree versions 1.2.0 through 1.2.6 that allows staff users to install plugins without superuser access, potentially enabling malicious code execution.

Am I affected by CVE-2026-35479 in InvenTree?

You are affected if you are running InvenTree versions 1.2.0 through 1.2.6. Upgrade to 1.2.7 or 1.3.0 to mitigate the risk.

How do I fix CVE-2026-35479 in InvenTree?

Upgrade InvenTree to version 1.2.7 or 1.3.0. If immediate upgrade is not possible, restrict staff user permissions and monitor plugin installations.

Is CVE-2026-35479 being actively exploited?

There is currently no evidence of active exploitation of CVE-2026-35479, but the vulnerability's nature suggests a potential risk.

Where can I find the official InvenTree advisory for CVE-2026-35479?

Refer to the InvenTree security advisory on their official website or GitHub repository for detailed information and updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs