Plugin Installation Vulnerability in InvenTree Inventory Management System
CVE-2026-35479

6.6MEDIUM

Key Information:

Vendor

Inventree

Status
Inventree
Vendor
CVE Published:
8 April 2026

What is CVE-2026-35479?

InvenTree, an open-source inventory management system, allows users with staff access permissions to install plugins via the API without requiring superuser access. This misalignment in permission requirements exposes the system to potential risks, as staff users, who are typically regarded as having lower trust levels, can install arbitrary plugins. Such plugins may compromise the system's integrity and security. The issue has been addressed in versions 1.2.7 and 1.3.0.

Affected Version(s)

InvenTree < 1.2.7

References

https://github.com/inventree/InvenTree/security/advisorie...
x_refsource_CONFIRM
https://docs.inventree.org/en/stable/concepts/threat_mode...
x_refsource_MISC
https://docs.inventree.org/en/stable/start/config/#plugin...
x_refsource_MISC

CVSS V3.1

Score:
6.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.