inventree
修复版本
1.2.8
CVE-2026-35479 is a vulnerability in InvenTree, an open-source inventory management system. It allows users with staff access permissions to install plugins via the API, bypassing the usual superuser requirement. This misconfiguration could lead to the installation of malicious plugins, potentially compromising the system's integrity and data. The vulnerability impacts versions 1.2.0 through 1.2.6 and is resolved in versions 1.2.7 and 1.3.0.
The primary impact of CVE-2026-35479 is the ability for unauthorized users to install arbitrary plugins within the InvenTree system. A malicious actor, posing as a staff user, could upload a plugin containing malicious code designed to steal sensitive inventory data, modify records, or even gain further access to the underlying server. The blast radius extends to any data stored within InvenTree, including product details, supplier information, and potentially user credentials. While the vulnerability requires staff-level access, this access is often granted to a wider range of users than superuser accounts, increasing the potential attack surface. This vulnerability highlights a critical flaw in the plugin management process, allowing for privilege escalation through seemingly benign actions.
CVE-2026-35479 was publicly disclosed on 2026-04-08. There is no indication of this vulnerability being actively exploited at the time of writing. It is not currently listed on CISA KEV. The availability of a relatively straightforward bypass of plugin installation restrictions suggests a moderate risk of exploitation if the vulnerability becomes widely known and a suitable malicious plugin is developed. Public proof-of-concept code is not currently available.
Organizations using InvenTree for inventory management, particularly those with multiple staff users granted access to the system. Smaller businesses or those with less stringent security practices are at higher risk, as they may be less likely to have implemented robust access controls or to regularly update their software. Shared hosting environments where multiple InvenTree instances are running on the same server are also at increased risk, as a compromise of one instance could potentially affect others.
• php: Examine InvenTree's API logs for plugin installation requests originating from users without superuser privileges. Look for POST requests to the plugin installation endpoint with unusual or suspicious plugin metadata.
grep 'plugin_install' /var/log/apache2/access.log | grep 'staff_user'• generic web: Monitor InvenTree's access logs for attempts to access plugin installation endpoints. Look for unusual user agents or IP addresses.
curl -I <invenTree_url>/api/plugins/install• generic web: Check for the presence of newly installed plugins that were not authorized by the system administrator. Review the plugin list within the InvenTree admin interface.
disclosure
漏洞利用状态
EPSS
0.03% (10% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-35479 is to immediately upgrade InvenTree to version 1.2.7 or 1.3.0, which addresses the flawed permission check. If upgrading is not immediately feasible, consider implementing stricter access controls within InvenTree to limit the number of users with staff permissions. Review existing plugins for any signs of compromise. While a direct WAF rule is unlikely to be effective, monitoring API endpoints related to plugin installation for unusual activity could provide early warning signs. Regularly audit user permissions and plugin installations to ensure compliance with security best practices. After upgrading, confirm the fix by attempting to install a plugin with a standard staff account – it should be denied.
Actualice InvenTree a la versión 1.2.7 o superior para mitigar la vulnerabilidad. Esta actualización corrige la falta de permisos adecuada para la instalación de plugins a través de la API, requiriendo ahora privilegios de superusuario.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-35479 is a vulnerability in InvenTree versions 1.2.0 through 1.2.6 that allows staff users to install plugins without superuser access, potentially enabling malicious code execution.
You are affected if you are running InvenTree versions 1.2.0 through 1.2.6. Upgrade to 1.2.7 or 1.3.0 to mitigate the risk.
Upgrade InvenTree to version 1.2.7 or 1.3.0. If immediate upgrade is not possible, restrict staff user permissions and monitor plugin installations.
There is currently no evidence of active exploitation of CVE-2026-35479, but the vulnerability's nature suggests a potential risk.
Refer to the InvenTree security advisory on their official website or GitHub repository for detailed information and updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。