Remote Code Execution Vulnerability in InvenTree Inventory Management System
CVE-2026-39362

5.3MEDIUM

Key Information:

Vendor: Inventree
Status: Inventree
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-39362?

InvenTree is an open-source inventory management system that inadvertently allows authenticated users to exploit the system through a configuration option. When the feature 'INVENTREE_DOWNLOAD_FROM_URL' is enabled, users can provide remote image URLs that are fetched server-side. The application uses Django's URLValidator for basic validation, which does not check against private IP ranges or internal hostnames. Consequently, this creates a potential security loophole where malicious redirects can be executed, allowing attackers to bypass any URL-format validation. The vulnerability has been addressed in the versions 1.2.7 and 1.3.0.

Affected Version(s)

InvenTree < 1.2.7

References

https://github.com/inventree/InvenTree/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39362 Data

JSON

Inventree

What is CVE-2026-39362?

Affected Version(s)

References

CVSS V4

Timeline