CVE-2026-33530

Name of the Vulnerable Software and Affected Versions InvenTree versions prior to 1.2.6 InvenTree versions 1.2.6 through 1.3.0

Description InvenTree is an Open Source Inventory Management System. Certain API endpoints associated with bulk data operations can be exploited to exfiltrate sensitive information from the database. The bulk operation API endpoints, including /api/part/, /api/stock/, /api/order/so/allocation/, and others, accept a filters parameter. This parameter is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This allows authenticated users to traverse model relationships using Django's lookup syntax and perform blind boolean-based data extraction. The filters parameter is the key component in this issue.

Recommendations Update InvenTree to version 1.2.6 or later. Update InvenTree to version 1.3.0 or later.