CVE-2026-39362

HIGH

InvenTree has SSRF via Remote Image Download — No IP/Hostname Validation on remote_image URLs

Title source: cna

Description

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There is no validation against private IP ranges or internal hostnames. Redirects are followed (allow_redirects=True), enabling bypass of any URL-format checks. This vulnerability is fixed in 1.2.7 and 1.3.0.

References (1)

[X_Refsource_Confirm] https://github.com/inventree/InvenTree/security/advisories/GHSA-m9j7-jw3m-fr22

Scores

CVSS v3 7.1

EPSS 0.0003

EPSS Percentile 7.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (4)

inventree/InvenTree < 1.2.7

inventree_project/inventree 1.2.8

inventree_project/inventree 1.2.9

inventree_project/inventree < 1.2.6

Published Apr 08, 2026

Tracked Since Apr 09, 2026