CVE-2026-35476

Published April 9, 2026 · Updated April 9, 2026

7.2CVSS

high

What This Means

CVE-2026-35476 is a high-severity vulnerability in InvenTree, an open source inventory management system. Users without staff privileges can exploit misconfigured API permissions to elevate their accounts to staff level via a POST request, potentially allowing unauthorized access to sensitive functionalities. Upgrade to InvenTree versions 1.2.7 or 1.3.0 to mitigate this risk.

Official Description+

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status. This vulnerability is fixed in 1.2.7 and 1.3.0.

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2026-35476.

Related Coverage

Vvulnerability

Critical Elevation of Privilege Flaw in InvenTree Inventory Management

CVE-2026-35476 allows elevation to staff privileges in InvenTree prior to 1.2.7 and 1.3.0. Unauthorized account access can result. Immediate upgrades required.

NVD·4h ago·3 min read