Platform
python
Component
inventree
Fixed in
1.2.8
CVE-2026-39362 is a Server-Side Request Forgery (SSRF) vulnerability affecting InvenTree versions 1.2.0 through 1.2.6. This flaw allows authenticated users to trigger server-side requests to arbitrary URLs, potentially exposing internal resources or performing unauthorized actions. The vulnerability is resolved in versions 1.2.7 and 1.3.0, and users are strongly advised to upgrade immediately.
The SSRF vulnerability in InvenTree allows an authenticated attacker to bypass URL validation checks and make requests to internal or external resources. By manipulating the remoteimage URL, an attacker can potentially access sensitive internal services, read internal files, or even interact with internal APIs. The allowredirects=True setting exacerbates the issue, enabling bypass of any URL format checks. This could lead to data exfiltration, denial of service, or further exploitation of internal systems if they are vulnerable. The blast radius extends to any internal resources accessible via HTTP/HTTPS from the InvenTree server.
CVE-2026-39362 was publicly disclosed on 2026-04-08. There are currently no known public proof-of-concept exploits available, but the SSRF nature of the vulnerability makes it likely that one will emerge. The EPSS score is pending evaluation. This vulnerability shares similarities with other SSRF vulnerabilities where insufficient URL validation allows attackers to bypass security controls and access internal resources.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The primary mitigation for CVE-2026-39362 is to upgrade InvenTree to version 1.2.7 or 1.3.0, which includes the necessary fixes. If upgrading is not immediately feasible, disable the INVENTREEDOWNLOADFROM_URL setting in the InvenTree configuration. This will prevent the vulnerable functionality from being used. As a temporary workaround, implement a Web Application Firewall (WAF) or proxy to filter outbound requests and block those targeting internal IP ranges or suspicious domains. Regularly review InvenTree's configuration and access controls to minimize the potential impact of this vulnerability. After upgrade, confirm by attempting to trigger the vulnerable functionality with a known malicious URL and verifying that the request is blocked.
Update InvenTree to version 1.2.7 or higher to mitigate the SSRF vulnerability. The update corrects the lack of validation in remote image download URLs, preventing authenticated users from accessing internal resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39362 is a Server-Side Request Forgery (SSRF) vulnerability in InvenTree versions 1.2.0 through 1.2.6, allowing authenticated users to make requests to arbitrary URLs.
If you are running InvenTree versions 1.2.0 through 1.2.6 and have the INVENTREEDOWNLOADFROM_URL setting enabled, you are potentially affected by this vulnerability.
Upgrade InvenTree to version 1.2.7 or 1.3.0. Alternatively, disable the INVENTREEDOWNLOADFROM_URL setting as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the SSRF nature of the vulnerability suggests it could be targeted in the future.
Refer to the InvenTree security advisory on their GitHub repository for detailed information and updates: [https://github.com/invenity/inventree/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.