Description
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status. This vulnerability is fixed in 1.2.7 and 1.3.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/inventree/InvenTree/security/advisories/GHSA-r8q5-3595-3jh2
X_Refsource_Misc x_refsource_misc
https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust
Scores
CVSS v3
7.2
EPSS
0.0014
EPSS Percentile
4.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-285
Status
published
Products (2)
inventree/InvenTree
< 1.2.7
inventree_project/inventree
< 1.2.6
Published
Apr 08, 2026
Tracked Since
Apr 09, 2026