PT-2026-31435 · Inventree · Inventree
Published
2026-04-08
·
Updated
2026-04-08
·
CVE-2026-35478
CVSS v3.1
8.3
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
InvenTree versions 0.16.0 through 1.2.6
Description
An authenticated InvenTree user can create a valid API token for any other user, including administrators and superusers, by providing the target user's ID in the
user field of a POST request to the /api/user/tokens/ API endpoint. The generated token allows full API authentication as the target user from any network location without further interaction.Recommendations
Update to version 1.2.7 or 1.3.0.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Inventree