Vulnerability Description
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Inventree Project | Inventree | < 1.2.6 |
Related Weaknesses (CWE)
References
- https://github.com/inventree/InvenTree/pull/11581Issue TrackingPatch
- https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qgVendor Advisory
FAQ
What is CVE-2026-33530?
CVE-2026-33530 is a vulnerability with a CVSS score of 7.7 (HIGH). InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the...
How severe is CVE-2026-33530?
CVE-2026-33530 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33530?
Check the references section above for vendor advisories and patch information. Affected products include: Inventree Project Inventree.