CVE-2026-35478HIGH 8.1EPSS p21.8%

CVE-2026-35478CVE-2026-35478

Description

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST /api/user/tokens/ request. The returned token is immediately usable for full API authentication as the target user, from any network location, with no further interaction required. This vulnerability is fixed in 1.2.7 and 1.3.0.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.30% probability of exploitation · percentile 21.8% · 2026-06-19T12:03:05Z
Published2026-04-08
Last modified2026-04-20

Underlying weaknesses· 1

CWE-639

References

  1. https://github.com/inventree/InvenTree/security/advisories/GHSA-qh5j-c28q-c4rg

1

TypeTargetConfidenceTier
WeaknessAuthorization Bypass Through User-Controlled Keycwe-6390%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35477
CVE
CVE-2026-27629
CVE
CVE-2026-46407
CVE
CVE-2025-53106
CVE
CVE-2026-11519
CVE
CVE-2025-6502
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.