top of page
perceptive_background_267k.jpg

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed t…

Published:

7 april 2026 om 22:00:00

Alert date:

8 april 2026 om 21:02:10

Source:

nvd.nist.gov

Click to open the original link from this advisory

Enterprise Applications, Identity & Access

CVE-2026-35478 affects InvenTree Open Source Inventory Management System versions 0.16.0 to before 1.2.7. Any authenticated user can create valid API tokens for other users, including administrators and superusers, by supplying the target's user ID in a POST request to /api/user/tokens/. The generated token provides immediate full API authentication as the target user from any network location without further interaction. This represents a critical privilege escalation vulnerability that allows authenticated attackers to impersonate any user in the system. The vulnerability is fixed in versions 1.2.7 and 1.3.0.

Technical details

Mitigation steps:

Affected products:

InvenTree

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-35478
https://github.com/inventree/InvenTree/security/advisories/GHSA-qh5j-c28q-c4rg

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page