High severity8.3NVD Advisory· Published Apr 8, 2026· Updated Apr 20, 2026

CVE-2026-35478

Description

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST /api/user/tokens/ request. The returned token is immediately usable for full API authentication as the target user, from any network location, with no further interaction required. This vulnerability is fixed in 1.2.7 and 1.3.0.

Affected products

Inventree Project/Inventree
cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*
Range: >=0.16.0,<=1.2.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/inventree/InvenTree/security/advisories/GHSA-qh5j-c28q-c4rgnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.540
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000