Vulnerability Description
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions (such as uninstalling) which do require superuser access. The vulnerability allows staff users (who may be considered to have a lower level of trust than a superuser account) to install arbitrary (and potentially harmful) plugins. This vulnerability is fixed in 1.2.7 and 1.3.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Inventree Project | Inventree | < 1.2.7 |
Related Weaknesses (CWE)
References
- https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trustProduct
- https://docs.inventree.org/en/stable/start/config/#plugin-optionsProduct
- https://github.com/inventree/InvenTree/security/advisories/GHSA-7c3q-vwcv-2vp7Third Party Advisory
FAQ
What is CVE-2026-35479?
CVE-2026-35479 is a vulnerability with a CVSS score of 6.6 (MEDIUM). InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account ac...
How severe is CVE-2026-35479?
CVE-2026-35479 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35479?
Check the references section above for vendor advisories and patch information. Affected products include: Inventree Project Inventree.