7.2

CVE-2026-35476

EPSS 0.03%
Veröffentlicht 08.04.2026 19:26:12
Zuletzt bearbeitet 21.04.2026 13:34:40
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status. This vulnerability is fixed in 1.2.7 and 1.3.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Inventree Project ≫ Inventree Version <= 1.2.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.078

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com	7.2	3.9	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/inventree/InvenTree/security/advisories/GHSA-r8q5-3595-3jh2

Third Party Advisory

https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust

Product

https://nvd.nist.gov/vuln/detail/CVE-2026-35476

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35476

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35476

EUVD