CVE-2026-39362
Published: 08 April 2026
Summary
CVE-2026-39362 is a high-severity SSRF (CWE-918) vulnerability in Inventree Project Inventree. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of user-supplied remote_image URLs to block those targeting private IP ranges or internal hostnames, directly preventing SSRF exploitation.
AC-4 enforces flow control policies restricting server-side requests.get() to authorized external destinations, mitigating unauthorized internal resource access via SSRF.
SC-7 implements boundary protections such as proxies or WAFs to monitor and block SSRF attempts involving redirect-following or invalid URLs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability in public-facing web application allows authenticated low-privilege users to force unauthorized requests to internal resources, directly enabling exploitation of the application for internal access and impact.
NVD Description
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There is no validation against…
more
private IP ranges or internal hostnames. Redirects are followed (allow_redirects=True), enabling bypass of any URL-format checks. This vulnerability is fixed in 1.2.7 and 1.3.0.
Deeper analysisAI
CVE-2026-39362 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting InvenTree, an open-source inventory management system. The issue impacts versions prior to 1.2.7 and 1.3.0 when the opt-in configuration INVENTREE_DOWNLOAD_FROM_URL is enabled. In this scenario, authenticated users can supply remote_image URLs that the server fetches using requests.get(), which relies solely on Django's URLValidator for validation. There is no check against private IP ranges or internal hostnames, and the request follows redirects (allow_redirects=True), allowing attackers to bypass URL-format restrictions.
An attacker with authenticated access (low privileges required) can exploit this over the network with low complexity and no user interaction. By crafting malicious remote_image URLs, they can trick the server into making unauthorized requests to internal resources, potentially leading to low confidentiality impact through information disclosure and high integrity impact by manipulating server-side fetches, such as accessing internal services or bypassing access controls via redirects. The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).
The vulnerability is addressed in InvenTree versions 1.2.7 and 1.3.0, which introduce proper validation to prevent SSRF. Additional details are available in the GitHub security advisory at https://github.com/inventree/InvenTree/security/advisories/GHSA-m9j7-jw3m-fr22. Security practitioners should ensure INVENTREE_DOWNLOAD_FROM_URL is disabled unless necessary and upgrade affected instances promptly.
Details
- CWE(s)