CVE-2026-35479

Name of the Vulnerable Software and Affected Versions InvenTree versions prior to 1.2.7 and 1.3.0

Description InvenTree versions before 1.2.7 and 1.3.0 allow staff users with staff access permissions to install plugins via the API without superuser access. This bypasses the usual security measures requiring superuser privileges for plugin installation, potentially enabling the installation of harmful plugins. The API endpoint used for plugin installation does not properly enforce the necessary permission checks.

Recommendations Update to InvenTree version 1.2.7 or 1.3.0.