{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39362", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T21:29:17.349Z", "datePublished": "2026-04-08T19:32:46.744Z", "dateUpdated": "2026-04-10T20:44:13.278Z"}, "containers": {"cna": {"title": "InvenTree has SSRF via Remote Image Download \u2014 No IP/Hostname Validation on remote_image URLs", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m9j7-jw3m-fr22", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m9j7-jw3m-fr22"}], "affected": [{"vendor": "inventree", "product": "InvenTree", "versions": [{"version": "< 1.2.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T19:32:46.744Z"}, "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There is no validation against private IP ranges or internal hostnames. Redirects are followed (allow_redirects=True), enabling bypass of any URL-format checks. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "source": {"advisory": "GHSA-m9j7-jw3m-fr22", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T20:43:57.761676Z", "id": "CVE-2026-39362", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:44:13.278Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39362", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T20:43:57.761676Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:44:09.185Z"}}], "cna": {"title": "InvenTree has SSRF via Remote Image Download \u2014 No IP/Hostname Validation on remote_image URLs", "source": {"advisory": "GHSA-m9j7-jw3m-fr22", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "inventree", "product": "InvenTree", "versions": [{"status": "affected", "version": "< 1.2.7"}]}], "references": [{"url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m9j7-jw3m-fr22", "name": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m9j7-jw3m-fr22", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There is no validation against private IP ranges or internal hostnames. Redirects are followed (allow_redirects=True), enabling bypass of any URL-format checks. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T19:32:46.744Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39362", "state": "PUBLISHED", "dateUpdated": "2026-04-10T20:44:13.278Z", "dateReserved": "2026-04-06T21:29:17.349Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T19:32:46.744Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*", "matchCriteriaId": "8BE44F53-DDEE-4BA3-B8E3-1C88EBAB4DA0", "versionEndExcluding": "1.2.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There is no validation against private IP ranges or internal hostnames. Redirects are followed (allow_redirects=True), enabling bypass of any URL-format checks. This vulnerability is fixed in 1.2.7 and 1.3.0."}], "id": "CVE-2026-39362", "lastModified": "2026-04-21T13:34:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T20:16:25.077", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m9j7-jw3m-fr22"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "InvenTree", "source": "cna", "vendor": "inventree"}, "product": "inventree", "vendor": "inventree"}], "analysis": {"en": {"generated_at": "2026-04-08T20:21:26.178431+00:00", "value": {"mitigation_remediation": ["Upgrade InvenTree to version 1.2.7 or 1.3.0 as soon as possible.", "If an upgrade cannot be performed immediately, disable the INVENTREE_DOWNLOAD_FROM_URL setting to block remote image fetching.", "Restrict outbound traffic from the InvenTree server to trusted domains or block internal IP ranges using a firewall.", "Monitor application logs for suspicious remote_image requests and verify that no internal resources are being accessed."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery exposing internal resources"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the InvenTree inventory management application. All versions prior to 1.2.7 and 1.3.0 are impacted when the INVENTREE_DOWNLOAD_FROM_URL feature is enabled. Users running earlier releases should update to the patched versions to eliminate the flaw.", "description_and_impact": "InvenTree permits authenticated users to upload images by specifying a remote_image URL. The URLs are retrieved server\u2011side with requests.get() using only Django\u2019s URLValidator, which does not validate against private IP ranges or internal hostnames. Redirects are automatically followed, allowing an attacker to point the download to an internal resource or a private IP address. The result is a classic SSRF where the InvenTree server can be coerced into making arbitrary HTTP requests, exposing internal data or enabling further network reconnaissance.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate security impact. The EPSS score is not provided, and the flaw is not listed in the CISA KEV catalog, implying it has not been widely exploited. The attack requires an authenticated user with the download feature enabled, but does not require advanced access. Once authenticated, an attacker can supply a malicious remote_image URL and force the InvenTree server to resolve private or internal addresses, potentially leaking sensitive information or facilitating additional attacks."}}}}, "created": "2026-04-09T08:18:16.125484+00:00", "updated": "2026-04-09T08:27:38.603616+00:00", "vendors": ["inventree", "inventree$PRODUCT$inventree"]}