HIGH🇬🇧 English

CVE-2026-35478

CVSS 8.3v3.1pub. 2026-04-08upd. 2026-04-20

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST /api/user/tokens/ request. The returned token is immediately usable for full API authentication as the target user, from any network location, with no further interaction required. This vulnerability is fixed in 1.2.7 and 1.3.0.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
  • Inventree Project Inventree

    APP
    Inventree Project
    0.16.0 – 1.2.6
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-35476HIGH7.2ten sam produkt

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated u...

CVE-2026-33530HIGH7.7ten sam produkt

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associa...

CVE-2024-47610HIGH7.3ten sam produkt

InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for ...

CVE-2022-2111HIGH8.8ten sam produkt

Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.

CVE-2022-2112HIGH8.8ten sam produkt

Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0....