inventree
修复版本
1.2.8
CVE-2026-35476 describes a Privilege Escalation vulnerability discovered in InvenTree, an open-source inventory management system. This flaw allows a non-staff user, after authentication, to elevate their account privileges to a staff level, granting them broader access and control within the system. The vulnerability impacts versions 1.2.0 through 1.2.6 and is resolved in versions 1.2.7 and 1.3.0.
Successful exploitation of CVE-2026-35476 allows an attacker to bypass access controls and gain staff-level privileges within InvenTree. This could lead to unauthorized modification of inventory data, creation of new users with elevated permissions, and potentially complete control over the system's configuration. The impact is particularly severe as it requires only authentication, making it accessible to anyone who can log in to the system. A malicious insider or a compromised user account could leverage this vulnerability to cause significant disruption and data breaches.
CVE-2026-35476 was publicly disclosed on 2026-04-08. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not currently listed on CISA KEV, and its EPSS score is likely low given the lack of public exploitation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Organizations using InvenTree for inventory management, particularly those with multiple users and varying permission levels, are at risk. Environments with weak password policies or shared user accounts are especially vulnerable. Users relying on InvenTree's access controls for sensitive inventory data are also at increased risk.
• php: Examine InvenTree's API endpoint logs for suspicious POST requests targeting user account modification. Look for requests originating from non-staff users attempting to change their 'staff' status.
grep 'user_id=[0-9]+&staff=true' /path/to/invenTree/api.log• generic web: Monitor access logs for unusual activity related to user account management endpoints.
curl -I http://your-invenTree-instance/api/users/{user_id}/ | grep -i staffdisclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-35476 is to immediately upgrade InvenTree to version 1.2.7 or 1.3.0, which contains the fix. If upgrading is not immediately feasible, consider implementing stricter access controls and input validation on the user account endpoint. While not a complete solution, restricting write permissions on this endpoint can reduce the attack surface. Review InvenTree's API documentation for best practices on secure endpoint configuration. After upgrading, verify the fix by attempting to elevate a non-staff user account to staff status via a POST request to the user account endpoint; the request should be rejected.
Actualice InvenTree a la versión 1.2.7 o superior para corregir la vulnerabilidad de escalada de privilegios. La actualización corrige la configuración incorrecta de los permisos de escritura en el API, evitando que usuarios no autorizados cambien su estado de personal.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-35476 is a vulnerability in InvenTree versions 1.2.0 through 1.2.6 that allows authenticated, non-staff users to elevate their account privileges to staff level, potentially granting unauthorized access.
You are affected if you are running InvenTree versions 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, or 1.2.6. Upgrade to 1.2.7 or 1.3.0 to resolve the issue.
The recommended fix is to upgrade InvenTree to version 1.2.7 or 1.3.0. As a temporary workaround, restrict write permissions on the user account endpoint.
As of now, there are no confirmed reports of active exploitation of CVE-2026-35476, but it's crucial to apply the patch promptly.
Refer to the InvenTree security advisories on their official website or GitHub repository for the latest information and updates regarding CVE-2026-35476.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。