Authentication Bypass in InvenTree Inventory Management System
CVE-2026-35476

7.2HIGH

Key Information:

Vendor: Inventree
Status: Inventree
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-35476?

The InvenTree Inventory Management System contains a vulnerability that allows non-staff authenticated users to escalate their account privileges. This occurs due to improper configuration of permissions on the user account API endpoint, enabling any user to change their staff status by sending a specially crafted POST request. Versions 1.2.7 and 1.3.0 and later include patches to address this issue, ensuring that user roles are assigned correctly and mitigating potential unauthorized access.

Affected Version(s)

InvenTree < 1.2.7

References

https://github.com/inventree/InvenTree/security/advisorie...

x_refsource_CONFIRM

https://docs.inventree.org/en/stable/concepts/threat_mode...

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35476 Data

JSON

Inventree

What is CVE-2026-35476?

Affected Version(s)

References

CVSS V3.1

Timeline