Plataforma
python
Componente
inventree
Corrigido em
1.2.8
CVE-2026-39362 is a Server-Side Request Forgery (SSRF) vulnerability affecting InvenTree versions 1.2.0 through 1.2.6. This flaw allows authenticated users to trigger server-side requests to arbitrary URLs, potentially exposing internal resources or performing unauthorized actions. The vulnerability is resolved in versions 1.2.7 and 1.3.0, and users are strongly advised to upgrade immediately.
The SSRF vulnerability in InvenTree allows an authenticated attacker to bypass URL validation checks and make requests to internal or external resources. By manipulating the remoteimage URL, an attacker can potentially access sensitive internal services, read internal files, or even interact with internal APIs. The allowredirects=True setting exacerbates the issue, enabling bypass of any URL format checks. This could lead to data exfiltration, denial of service, or further exploitation of internal systems if they are vulnerable. The blast radius extends to any internal resources accessible via HTTP/HTTPS from the InvenTree server.
CVE-2026-39362 was publicly disclosed on 2026-04-08. There are currently no known public proof-of-concept exploits available, but the SSRF nature of the vulnerability makes it likely that one will emerge. The EPSS score is pending evaluation. This vulnerability shares similarities with other SSRF vulnerabilities where insufficient URL validation allows attackers to bypass security controls and access internal resources.
Organizations using InvenTree for inventory management, particularly those with the INVENTREEDOWNLOADFROM_URL setting enabled, are at risk. Shared hosting environments where InvenTree is deployed alongside other applications are also vulnerable, as a compromised InvenTree instance could potentially be used to attack other services on the same server.
• python / server:
# Check for the presence of the vulnerable code in the InvenTree codebase.
grep -r 'requests.get(url, allow_redirects=True)' /path/to/inventree/source• generic web:
# Monitor access logs for requests to internal IP addresses or unusual domains originating from authenticated InvenTree users.
grep '127.0.0.1' /var/log/apache2/access.logdisclosure
Status do Exploit
EPSS
0.04% (percentil 13%)
CISA SSVC
The primary mitigation for CVE-2026-39362 is to upgrade InvenTree to version 1.2.7 or 1.3.0, which includes the necessary fixes. If upgrading is not immediately feasible, disable the INVENTREEDOWNLOADFROM_URL setting in the InvenTree configuration. This will prevent the vulnerable functionality from being used. As a temporary workaround, implement a Web Application Firewall (WAF) or proxy to filter outbound requests and block those targeting internal IP ranges or suspicious domains. Regularly review InvenTree's configuration and access controls to minimize the potential impact of this vulnerability. After upgrade, confirm by attempting to trigger the vulnerable functionality with a known malicious URL and verifying that the request is blocked.
Actualice InvenTree a la versión 1.2.7 o superior para mitigar la vulnerabilidad de SSRF. La actualización corrige la falta de validación en las URLs de descarga de imágenes remotas, previniendo que usuarios autenticados puedan acceder a recursos internos.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-39362 is a Server-Side Request Forgery (SSRF) vulnerability in InvenTree versions 1.2.0 through 1.2.6, allowing authenticated users to make requests to arbitrary URLs.
If you are running InvenTree versions 1.2.0 through 1.2.6 and have the INVENTREEDOWNLOADFROM_URL setting enabled, you are potentially affected by this vulnerability.
Upgrade InvenTree to version 1.2.7 or 1.3.0. Alternatively, disable the INVENTREEDOWNLOADFROM_URL setting as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the SSRF nature of the vulnerability suggests it could be targeted in the future.
Refer to the InvenTree security advisory on their GitHub repository for detailed information and updates: [https://github.com/invenity/inventree/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.