CVE-2026-35479
MEDIUM
6,6
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: high
User Interaction: none
Scope: changed
Confidentiality: low
Integrity: low
Availability: low
Description
AI Translation Available
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring 'superuser' account access. This level of permission requirement is out of alignment with other plugin actions (such as uninstalling) which do require superuser access. The vulnerability allows staff users (who may be considered to have a lower level of trust than a superuser account) to install arbitrary (and potentially harmful) plugins. This vulnerability is fixed in 1.2.7 and 1.3.0.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0003
Percentile
0,1th
Updated
EPSS Score Trend (Last 8 Days)
285
Improper Authorization
DraftCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Access Control
Potential Impacts:
Read Application Data
Read Files Or Directories
Modify Application Data
Modify Files Or Directories
Gain Privileges Or Assume Identity
Execute Unauthorized Code Or Commands
Applicable Platforms
Technologies:
Database Server, Not Technology-Specific, Web Server
https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust
https://docs.inventree.org/en/stable/start/config/#plugin-options
https://github.com/inventree/InvenTree/security/advisories/GHSA-7c3q-vwcv-2vp7