HIGH🇵🇱 Wersja polska

CVE-2026-35478

CVSS 8.3v3.1pub. 2026-04-08upd. 2026-04-20

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST /api/user/tokens/ request. The returned token is immediately usable for full API authentication as the target user, from any network location, with no further interaction required. This vulnerability is fixed in 1.2.7 and 1.3.0.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
  • Inventree Project Inventree

    APP
    Inventree Project
    0.16.0 – 1.2.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-35476HIGH7.2ten sam produkt

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated u...

CVE-2026-33530HIGH7.7ten sam produkt

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associa...

CVE-2024-47610HIGH7.3ten sam produkt

InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for ...

CVE-2022-2111HIGH8.8ten sam produkt

Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.

CVE-2022-2112HIGH8.8ten sam produkt

Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0....