CVE-2026-33530

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/inventree/InvenTree/pull/11581
https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 20:16

Updated : 2026-03-30 13:26

NVD link : CVE-2026-33530

Mitre link : CVE-2026-33530

CVE.ORG link : CVE-2026-33530

JSON object : View

Products Affected

No product.

CWE

CWE-202

Exposure of Sensitive Information Through Data Queries

{"id": "CVE-2026-33530", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2026-03-26T20:16:15.237", "references": [{"url": "https://github.com/inventree/InvenTree/pull/11581", "source": "security-advisories@github.com"}, {"url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-202"}]}], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available."}, {"lang": "es", "value": "InvenTree es un Sistema de Gesti\u00f3n de Inventario de C\u00f3digo Abierto. Antes de la versi\u00f3n 1.2.6, ciertos endpoints de la API asociados con operaciones de datos masivas pueden ser secuestrados para exfiltrar informaci\u00f3n sensible de la base de datos. Los endpoints de la API de operaciones masivas (por ejemplo, `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, y otros) aceptan un par\u00e1metro 'filters' que se pasa directamente a `queryset.filter(**filters)` del ORM de Django sin ninguna lista blanca de campos. Esto permite a cualquier usuario autenticado recorrer relaciones de modelos usando la sintaxis de b\u00fasqueda `__` de Django y realizar extracci\u00f3n de datos ciega basada en booleanos. Este problema est\u00e1 parcheado en la versi\u00f3n 1.2.6, y 1.3.0 (o superior). Los usuarios deben actualizar a las versiones parcheadas. No se conocen soluciones alternativas disponibles."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "security-advisories@github.com"}