CVE-2026-27629
📋 TL;DR
InvenTree versions before 1.2.3 have a server-side template injection vulnerability that allows staff users to modify Jinja2 templates for batch code generation. This can lead to sensitive information disclosure or remote code execution when other users trigger batch code generation. The vulnerability requires staff-level access to initially modify the template.
💻 Affected Systems
- InvenTree
📦 What is this software?
Inventree by Inventree Project
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, allowing attacker to access all data, modify system files, or pivot to other systems.
Likely Case
Sensitive information disclosure including database credentials, API keys, or user data through template injection.
If Mitigated
Limited impact if proper access controls restrict staff permissions and template editing is disabled at system level.
🎯 Exploit Status
Exploitation requires two steps: 1) Staff user modifies template maliciously, 2) Any user triggers batch code generation. No public exploit code known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.3 or 1.3.0+
Vendor Advisory: https://github.com/inventree/InvenTree/security/advisories/GHSA-cx85-vr3q-9x4m
Restart Required: Yes
Instructions:
1. Backup your InvenTree database and configuration. 2. Update to version 1.2.3 or higher using pip: 'pip install --upgrade inventree==1.2.3'. 3. Restart the InvenTree service. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Override template settings at system level
allPrevent editing of vulnerable template settings by overriding them at system configuration level
Set STOCK_BATCH_CODE_TEMPLATE and PART_NAME_FORMAT in system configuration files to prevent client-side modification
🧯 If You Can't Patch
- Restrict staff permissions to only trusted users who require template editing capabilities
- Monitor and audit all template modifications and batch code generation API calls
🔍 How to Verify
Check if Vulnerable:
Check InvenTree version: if version < 1.2.3, system is vulnerableCheck Version:
python -c "import inventree; print(inventree.__version__)"Verify Fix Applied:
Verify version is 1.2.3 or higher and test that template editing is properly sandboxed📡 Detection & Monitoring
Log Indicators:
- Unusual template modifications by staff users
- Multiple batch code generation requests with unusual patterns
- Error logs containing template execution errors
Network Indicators:
- API calls to /api/stock/batch-code/generate/ with unusual parameters
- Outbound connections from server following batch code generation
SIEM Query:
source="inventree" AND (event="template_modified" OR event="batch_code_generated") | stats count by user