InvenTree: Unvalidated User-Controlled Image Download

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

InvenTree: Unvalidated User-Controlled Image Download

CVE-2026-39362

Summary

If you use InvenTree, be aware that versions prior to 1.2.7 and 1.3.0 allow authenticated users to download images from any URL, which could be malicious. This means an attacker could trick a user into downloading a malicious image. To fix this, update to version 1.2.7 or 1.3.0.

Original title

Original description

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There is no validation against private IP ranges or internal hostnames. Redirects are followed (allow_redirects=True), enabling bypass of any URL-format checks. This vulnerability is fixed in 1.2.7 and 1.3.0.

nvd CVSS4.0 5.3

Vulnerability type

CWE-918 Server-Side Request Forgery (SSRF)

https://github.com/inventree/InvenTree/security/advisories/GHSA-m9j7-jw3m-fr22

Published: 8 Apr 2026 · Updated: 10 Apr 2026 · First seen: 8 Apr 2026