InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via…

InvenTree Open Source Inventory Management System contains a privilege escalation vulnerability in versions prior to 1.2.7 and 1.3.0. A non-staff authenticated user can elevate their account to staff level via a POST request to their user account endpoint. The vulnerability stems from improperly configured write permissions on the API endpoint, allowing any user to modify their staff status. This represents a critical access control bypass that could lead to unauthorized administrative access. The issue has been patched in versions 1.2.7 and 1.3.0.