InvenTree up to 1.2.2 API Call special elements used in a template engine

Summaryinfo

A vulnerability has been found in InvenTree up to 1.2.2 and classified as problematic. This affects an unknown function of the component API Call Handler. This manipulation causes improper neutralization of special elements used in a template engine. This vulnerability is tracked as CVE-2026-27629. The attack is only possible within the local network. No exploit exists. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as problematic was found in InvenTree up to 1.2.2. Affected by this vulnerability is an unknown part of the component API Call Handler. The manipulation with an unknown input leads to a improper neutralization of special elements used in a template engine vulnerability. The CWE definition for the vulnerability is CWE-1336. The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified by a staff user to exfiltrate sensitive information or perform code execution on the server. This issue requires access by a user with granted staff permissions, followed by a request to generate a custom batch code via the API. Once the template has been modified in a malicious manner, the API call to generate a new batch code could be made by other users, and the template code will be executed with their user context. The code has been patched to ensure that all template generation is performed within a secure sandboxed context. This issue has been addressed in version 1.2.3, and any versions from 1.3.0 onwards. Some workarounds are available. The batch code template is a configurable global setting which can be adjusted via any user with staff access. To prevent this setting from being edited, it can be overridden at a system level to a default value, preventing it from being edited. This requires system administrator access, and cannot be changed from the client side once the server is running. It is recommended that for InvenTree installations prior to 1.2.3 the `STOCK_BATCH_CODE_TEMPLATE` and `PART_NAME_FORMAT` global settings are overridden at the system level to prevent editing.

It is possible to read the advisory at github.com. This vulnerability is known as CVE-2026-27629 since 02/20/2026. The exploitation appears to be easy. The attack needs to be done within the local network. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1221 according to MITRE ATT&CK.

Upgrading to version 1.2.3 eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Name

• InvenTree

Version

• 1.2.0
• 1.2.1
• 1.2.2

Website

• Product: https://github.com/inventree/InvenTree/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion