Primary

Context

InvenTree Privilege Escalation Vulnerability via API

Vulnerability

Patched

A privilege escalation vulnerability has been identified in InvenTree, an open-source inventory management system, affecting versions prior to 1.2.7 and 1.3.0. The vulnerability allows non-staff authenticated users to elevate their account to staff level by sending a POST request to their user account endpoint. This issue arises from improper configuration of write permissions on the API endpoint, enabling any user to modify their staff status. The vulnerability requires valid user authentication to exploit, but the attack complexity is low.

Impact

Exploitation of this vulnerability allows non-staff authenticated users to gain staff privileges, which can lead to unauthorized access to sensitive features and data within the InvenTree application.

Remediation

Users can upgrade to InvenTree versions 1.2.7 or 1.3.0 to address this vulnerability.

Added: Apr 8, 2026, 11:01 PM

Updated: Apr 8, 2026, 11:01 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

0.6

exploitability

7.8

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

0.6

exploitability

7.8

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

InvenTree Privilege Escalation Vulnerability via API

Vulnerability

Impact

Remediation

Affected Products

InvenTree

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating