CVE-2026-33530

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/inventree/InvenTree/pull/11581	Issue Tracking Patch
https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*

History

01 Apr 2026, 18:48

Type	Values Removed	Values Added
First Time		Inventree Project Inventree Project inventree
CPE		cpe:2.3:a:inventree_project:inventree::::::::
References	~~() https://github.com/inventree/InvenTree/pull/11581 -~~	() https://github.com/inventree/InvenTree/pull/11581 - Issue Tracking, Patch
References	~~() https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg -~~	() https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg - Vendor Advisory

30 Mar 2026, 13:26

Type	Values Removed	Values Added
Summary		(es) InvenTree es un Sistema de Gestión de Inventario de Código Abierto. Antes de la versión 1.2.6, ciertos endpoints de la API asociados con operaciones de datos masivas pueden ser secuestrados para exfiltrar información sensible de la base de datos. Los endpoints de la API de operaciones masivas (por ejemplo, `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, y otros) aceptan un parámetro 'filters' que se pasa directamente a `queryset.filter(**filters)` del ORM de Django sin ninguna lista blanca de campos. Esto permite a cualquier usuario autenticado recorrer relaciones de modelos usando la sintaxis de búsqueda `__` de Django y realizar extracción de datos ciega basada en booleanos. Este problema está parcheado en la versión 1.2.6, y 1.3.0 (o superior). Los usuarios deben actualizar a las versiones parcheadas. No se conocen soluciones alternativas disponibles.

26 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-26 20:16

Updated : 2026-04-01 18:48

NVD link : CVE-2026-33530

Mitre link : CVE-2026-33530

CVE.ORG link : CVE-2026-33530

JSON object : View

Products Affected

inventree_project

inventree

CWE

CWE-202

Exposure of Sensitive Information Through Data Queries

7.7 /10