CVE-2026-35478
Published: 08 April 2026
Summary
CVE-2026-35478 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Inventree Project Inventree. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires verifying the identity of users before issuing authenticators like API tokens, directly preventing unauthorized creation of tokens for other users including administrators.
Enforces approved authorizations on the token creation endpoint to restrict users from generating tokens attributable to other users.
Validates the user ID input in the POST request to ensure it aligns with the authenticated requester, mitigating the user-controlled key bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthorized creation of API tokens for any user (including admins), directly facilitating privilege escalation via impersonation (T1068), stealing application access tokens (T1528), and using those tokens for access (T1550.001).
NVD Description
InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the…
more
target's user ID in the user field of a POST /api/user/tokens/ request. The returned token is immediately usable for full API authentication as the target user, from any network location, with no further interaction required. This vulnerability is fixed in 1.2.7 and 1.3.0.
Deeper analysisAI
CVE-2026-35478 affects InvenTree, an open-source inventory management system, in versions from 0.16.0 up to but not including 1.2.7. The vulnerability allows any authenticated user to create a valid API token for any other user in the system, including administrators and superusers, by specifying the target user's ID in the "user" field of a POST request to the /api/user/tokens/ endpoint. This flaw, classified under CWE-639 (Authorization Bypass Through User-Controlled Key), has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its potential for significant confidentiality and integrity impacts.
An attacker with any valid authenticated account can exploit this remotely over the network with low complexity and no user interaction required. By crafting the specified POST request, they obtain a fully functional API token for the target user, enabling complete impersonation and API access as that user from any location without additional authentication steps. This grants elevated privileges, such as administrative actions, depending on the victim's role.
The GitHub security advisory at https://github.com/inventree/InvenTree/security/advisories/GHSA-qh5j-c28q-c4rg details the fix, which is available in InvenTree versions 1.2.7 and 1.3.0. Security practitioners should upgrade to these patched releases immediately and review existing API tokens for anomalies, as no workarounds are mentioned.
Details
- CWE(s)