Cyber Resilience

CVE-2026-35478

High

Published: 08 April 2026

Published
08 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0030 21.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35478 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Inventree Project Inventree. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-35478 affects InvenTree, an open-source inventory management system, in versions from 0.16.0 up to but not including 1.2.7. The vulnerability allows any authenticated user to create a valid API token for any other user in the system, including administrators and superusers, by specifying the target user's ID in the "user" field of a POST request to the /api/user/tokens/ endpoint. This flaw, classified under CWE-639 (Authorization Bypass Through User-Controlled Key), has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its potential for significant confidentiality and integrity impacts.

An attacker with any valid authenticated account can exploit this remotely over the network with low complexity and no user interaction required. By crafting the specified POST request, they obtain a fully functional API token for the target user, enabling complete impersonation and API access as that user from any location without additional authentication steps. This grants elevated privileges, such as administrative actions, depending on the victim's role.

The GitHub security advisory at https://github.com/inventree/InvenTree/security/advisories/GHSA-qh5j-c28q-c4rg details the fix, which is available in InvenTree versions 1.2.7 and 1.3.0. Security practitioners should upgrade to these patched releases immediately and review existing API tokens for anomalies, as no workarounds are mentioned.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the…

more

target's user ID in the user field of a POST /api/user/tokens/ request. The returned token is immediately usable for full API authentication as the target user, from any network location, with no further interaction required. This vulnerability is fixed in 1.2.7 and 1.3.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Why these techniques?

The vulnerability enables unauthorized creation of API tokens for any user (including admins), directly facilitating privilege escalation via impersonation (T1068), stealing application access tokens (T1528), and using those tokens for access (T1550.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35476Same product: Inventree Project Inventree
CVE-2026-33530Same product: Inventree Project Inventree
CVE-2026-39362Same product: Inventree Project Inventree
CVE-2026-35477Same product: Inventree Project Inventree
CVE-2026-27629Same product: Inventree Project Inventree
CVE-2026-0020Shared CWE-639
CVE-2026-41906Shared CWE-639
CVE-2026-38807Shared CWE-639
CVE-2026-8629Shared CWE-639
CVE-2025-13768Shared CWE-639

Affected Assets

inventree project
inventree
0.16.0 — 1.2.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires verifying the identity of users before issuing authenticators like API tokens, directly preventing unauthorized creation of tokens for other users including administrators.

prevent

Enforces approved authorizations on the token creation endpoint to restrict users from generating tokens attributable to other users.

prevent

Validates the user ID input in the POST request to ensure it aligns with the authenticated requester, mitigating the user-controlled key bypass.

References