CVE-2026-35476

Name of the Vulnerable Software and Affected Versions InvenTree versions prior to 1.2.7 and 1.3.0

Description InvenTree, an Open Source Inventory Management System, has an issue where a non-staff authenticated user can elevate their account to a staff level. This is due to improperly configured write permissions on the user account API endpoint, allowing any user to change their staff status via a POST request.

Recommendations Update to version 1.2.7 or 1.3.0.