{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35478", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T20:49:44.453Z", "datePublished": "2026-04-08T19:24:05.044Z", "dateUpdated": "2026-04-08T20:12:15.181Z"}, "containers": {"cna": {"title": "InvenTree has Arbitrary API Token Creation", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/inventree/InvenTree/security/advisories/GHSA-qh5j-c28q-c4rg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-qh5j-c28q-c4rg"}], "affected": [{"vendor": "inventree", "product": "InvenTree", "versions": [{"version": ">= 0.16.0, < 1.2.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T19:24:05.044Z"}, "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system \u2014 including administrators and superusers \u2014 by supplying the target's user ID in the user field of a POST /api/user/tokens/ request. The returned token is immediately usable for full API authentication as the target user, from any network location, with no further interaction required. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "source": {"advisory": "GHSA-qh5j-c28q-c4rg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T20:11:59.356333Z", "id": "CVE-2026-35478", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T20:12:15.181Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35478", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T20:11:59.356333Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T20:12:05.710Z"}}], "cna": {"title": "InvenTree has Arbitrary API Token Creation", "source": {"advisory": "GHSA-qh5j-c28q-c4rg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "inventree", "product": "InvenTree", "versions": [{"status": "affected", "version": ">= 0.16.0, < 1.2.7"}]}], "references": [{"url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-qh5j-c28q-c4rg", "name": "https://github.com/inventree/InvenTree/security/advisories/GHSA-qh5j-c28q-c4rg", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system \u2014 including administrators and superusers \u2014 by supplying the target's user ID in the user field of a POST /api/user/tokens/ request. The returned token is immediately usable for full API authentication as the target user, from any network location, with no further interaction required. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T19:24:05.044Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35478", "state": "PUBLISHED", "dateUpdated": "2026-04-08T20:12:15.181Z", "dateReserved": "2026-04-02T20:49:44.453Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T19:24:05.044Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*", "matchCriteriaId": "ADB98168-9764-4D5D-9DF9-44D08A33DC26", "versionEndIncluding": "1.2.6", "versionStartIncluding": "0.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system \u2014 including administrators and superusers \u2014 by supplying the target's user ID in the user field of a POST /api/user/tokens/ request. The returned token is immediately usable for full API authentication as the target user, from any network location, with no further interaction required. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "id": "CVE-2026-35478", "lastModified": "2026-04-20T15:12:03.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T20:16:24.630", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-qh5j-c28q-c4rg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.16.0,1.2.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "InvenTree", "source": "cna", "vendor": "inventree"}, "product": "inventree", "vendor": "inventree"}], "analysis": {"en": {"generated_at": "2026-04-08T20:51:02.320462+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch to InvenTree version 1.2.7 or later.", "If upgrading is not immediately possible, temporarily revoke API token creation privileges for all users except administrators or disable the /api/user/tokens/ endpoint.", "Monitor API token creation logs for unusual activity and enforce rate limiting on the token creation API.", "Review and tighten role permissions to limit who can create API tokens."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via Arbitrary API Token Creation"}, "threat_synthesis": {"affected_systems": "InvenTree, an open\u2011source inventory management system, is affected for releases from version 0.16.0 through any pre\u20111.2.7 release. Users of these versions, regardless of role, can create arbitrary tokens for any other user. The vulnerability is fixed in releases 1.2.7 and 1.3.0.", "description_and_impact": "An authenticated user in InvenTree can create a new API token that is attributed to any target user by providing that user's ID in the token creation request. The created token is instantly usable for API authentication, allowing the requester to fully impersonate the target user, including administrators and superusers, from any network location with no further interaction. This results in complete control over the system for the impersonated account and aligns with the weakness defined as Authorization Bypass Through Privilege Escalation (CWE-639).", "risk_and_exploitability": "The flaw carries a CVSS v3 score of 8.3, indicating high severity. It does not currently appear in the CISA KEV catalog and EPSS data is unavailable, so the exact likelihood of exploitation is unknown. The attack vector requires only that the attacker be authenticated to the system; thereafter the token creation endpoint can be called to generate a valid token for any user. Once obtained, the token grants full API\u2011level access, enabling data exfiltration, configuration changes, or potential further lateral movement if integrated with other services."}}}}, "created": "2026-04-09T08:18:20.079386+00:00", "updated": "2026-04-09T08:27:42.447045+00:00", "vendors": ["inventree", "inventree$PRODUCT$inventree"]}