High severity7.7NVD Advisory· Published Mar 26, 2026· Updated Apr 1, 2026

CVE-2026-33530

Description

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. /api/part/, /api/stock/, /api/order/so/allocation/, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.

Affected products

Inventree Project/Inventree
cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*
Range: <1.2.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/inventree/InvenTree/pull/11581nvdIssue TrackingPatch
github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qgnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.501
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000