{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35476", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T20:49:44.453Z", "datePublished": "2026-04-08T19:26:12.692Z", "dateUpdated": "2026-04-08T19:53:28.982Z"}, "containers": {"cna": {"title": "InvenTree Affected by Privilege Escalation via API", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/inventree/InvenTree/security/advisories/GHSA-r8q5-3595-3jh2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-r8q5-3595-3jh2"}, {"name": "https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust", "tags": ["x_refsource_MISC"], "url": "https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust"}], "affected": [{"vendor": "inventree", "product": "InvenTree", "versions": [{"version": "< 1.2.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T19:26:12.692Z"}, "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "source": {"advisory": "GHSA-r8q5-3595-3jh2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T19:53:23.187630Z", "id": "CVE-2026-35476", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:53:28.982Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35476", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T19:53:23.187630Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:53:26.494Z"}}], "cna": {"title": "InvenTree Affected by Privilege Escalation via API", "source": {"advisory": "GHSA-r8q5-3595-3jh2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "inventree", "product": "InvenTree", "versions": [{"status": "affected", "version": "< 1.2.7"}]}], "references": [{"url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-r8q5-3595-3jh2", "name": "https://github.com/inventree/InvenTree/security/advisories/GHSA-r8q5-3595-3jh2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust", "name": "https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T19:26:12.692Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35476", "state": "PUBLISHED", "dateUpdated": "2026-04-08T19:53:28.982Z", "dateReserved": "2026-04-02T20:49:44.453Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T19:26:12.692Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*", "matchCriteriaId": "E37FC80D-0C3A-425E-A35A-A8EA3B0B4F15", "versionEndIncluding": "1.2.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "id": "CVE-2026-35476", "lastModified": "2026-04-21T13:34:40.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T20:16:24.323", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-r8q5-3595-3jh2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "InvenTree", "source": "cna", "vendor": "inventree"}, "product": "inventree", "vendor": "inventree"}], "analysis": {"en": {"generated_at": "2026-04-08T20:22:16.896376+00:00", "value": {"mitigation_remediation": ["Upgrade InvenTree to version 1.2.7 or 1.3.0 or later where the issue is fixed.", "If an upgrade is not possible immediately, modify the API permission settings to remove write access to the staff status field for non\u2011staff users.", "Apply any additional hardening such as restricting API access to trusted IP ranges.", "Verify after changes that non\u2011staff users can no longer alter their staff status via the API.", "Monitor logs for attempts to modify staff status in future users."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects InvenTree installations running any version before 1.2.7 or 1.3.0. The affected product is the open source inventory management system developed by Inventree, Inc. No other versions or products are listed as impacted.", "description_and_impact": "A misconfigured API endpoint in InvenTree allows any authenticated non\u2011staff user to change their own staff flag via a POST request to the user account endpoint. This improper write permission results in unauthorized elevation of privileges, effectively granting the attacker full administrative control over the system. The weakness is categorized as CWE\u2011285: Improper Authorization.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity issue. EPSS data is unavailable, but the lack of an official CISA KEV listing does not diminish the risk; the flaw can be exploited by any user who can obtain a normal account. The likely attack vector is a remote HTTP API request, requiring only authentication as a regular user. Once the exploit is executed, the attacker immediately gains staff privileges, compromising confidentiality, integrity, and availability of the entire system."}}}}, "created": "2026-04-09T08:18:19.082913+00:00", "updated": "2026-04-09T08:27:41.521169+00:00", "vendors": ["inventree", "inventree$PRODUCT$inventree"]}