{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35479", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T20:49:44.453Z", "datePublished": "2026-04-08T19:27:57.320Z", "dateUpdated": "2026-04-09T14:16:36.423Z"}, "containers": {"cna": {"title": "InvenTree Plugin Installation - Insufficient Permissions", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/inventree/InvenTree/security/advisories/GHSA-7c3q-vwcv-2vp7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-7c3q-vwcv-2vp7"}, {"name": "https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust", "tags": ["x_refsource_MISC"], "url": "https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust"}, {"name": "https://docs.inventree.org/en/stable/start/config/#plugin-options", "tags": ["x_refsource_MISC"], "url": "https://docs.inventree.org/en/stable/start/config/#plugin-options"}], "affected": [{"vendor": "inventree", "product": "InvenTree", "versions": [{"version": "< 1.2.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T19:27:57.320Z"}, "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring \"superuser\" account access. This level of permission requirement is out of alignment with other plugin actions (such as uninstalling) which do require superuser access. The vulnerability allows staff users (who may be considered to have a lower level of trust than a superuser account) to install arbitrary (and potentially harmful) plugins. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "source": {"advisory": "GHSA-7c3q-vwcv-2vp7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:16:28.170445Z", "id": "CVE-2026-35479", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:16:36.423Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35479", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:16:28.170445Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:16:32.301Z"}}], "cna": {"title": "InvenTree Plugin Installation - Insufficient Permissions", "source": {"advisory": "GHSA-7c3q-vwcv-2vp7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "inventree", "product": "InvenTree", "versions": [{"status": "affected", "version": "< 1.2.7"}]}], "references": [{"url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-7c3q-vwcv-2vp7", "name": "https://github.com/inventree/InvenTree/security/advisories/GHSA-7c3q-vwcv-2vp7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust", "name": "https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.inventree.org/en/stable/start/config/#plugin-options", "name": "https://docs.inventree.org/en/stable/start/config/#plugin-options", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring \"superuser\" account access. This level of permission requirement is out of alignment with other plugin actions (such as uninstalling) which do require superuser access. The vulnerability allows staff users (who may be considered to have a lower level of trust than a superuser account) to install arbitrary (and potentially harmful) plugins. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T19:27:57.320Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35479", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:16:36.423Z", "dateReserved": "2026-04-02T20:49:44.453Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T19:27:57.320Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring \"superuser\" account access. This level of permission requirement is out of alignment with other plugin actions (such as uninstalling) which do require superuser access. The vulnerability allows staff users (who may be considered to have a lower level of trust than a superuser account) to install arbitrary (and potentially harmful) plugins. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "id": "CVE-2026-35479", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T20:16:24.770", "references": [{"source": "security-advisories@github.com", "url": "https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust"}, {"source": "security-advisories@github.com", "url": "https://docs.inventree.org/en/stable/start/config/#plugin-options"}, {"source": "security-advisories@github.com", "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-7c3q-vwcv-2vp7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "InvenTree", "source": "cna", "vendor": "inventree"}, "product": "inventree", "vendor": "inventree"}], "analysis": {"en": {"generated_at": "2026-04-08T20:21:56.719211+00:00", "value": {"mitigation_remediation": ["Upgrade InvenTree to version 1.2.7 or 1.3.0 to apply the vendor fix", "Confirm that only superusers retain the ability to install plugins via the API", "Review the source and integrity of all installed plugins and remove any untrusted additions", "Consider tightening API access controls to restrict plugin installation to privileged accounts", "Implement monitoring for anomalous plugin installation activity by staff users"], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation via Plugin Installation for staff users"}, "threat_synthesis": {"affected_systems": "Any InvenTree installation running a version earlier than 1.2.7 for the 1.2 series or earlier than 1.3.0 for the 1.3 series is vulnerable. The issue is specific to the InvenTree product. Users should verify the deployed version and ensure they are running a patched release.", "description_and_impact": "The vulnerability allows users with staff-level permissions in InvenTree to install plugins through the API without requiring superuser rights. This deviation from the expected privilege model permits the deployment of arbitrary or malicious plugins, potentially enabling an attacker to execute arbitrary code, modify inventory data, or disrupt operations. The weakness is categorized as CWE\u2011285, Abuse of Privilege. If exploited, the attacker can gain administrative influence over the system\u2019s plugins, leading to confidentiality, integrity, and availability impacts.", "risk_and_exploitability": "The CVSS score of 6.6 indicates moderate severity. No EPSS score is available, and the flaw is not listed in CISA\u2019s KEV catalog, suggesting limited evidence of recent exploitation. The attack likely proceeds via an authenticated API call made by a staff user; no external network escalation is required beyond the existing staff credentials. The exploitability is therefore contingent on staff accounts having active API access, which many installations provide for routine operations."}}}}, "created": "2026-04-09T08:18:18.055461+00:00", "updated": "2026-04-09T08:27:40.522023+00:00", "vendors": ["inventree", "inventree$PRODUCT$inventree"]}