CVE-2026-39362

InvenTree has SSRF via Remote Image Download — No IP/Hostname Validation on remote_image URLs

Description

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There is no validation against private IP ranges or internal hostnames. Redirects are followed (allow_redirects=True), enabling bypass of any URL-format checks. This vulnerability is fixed in 1.2.7 and 1.3.0.

INFO

Published Date :

2026-04-08T19:32:46.744Z

Last Modified :

2026-04-08T19:32:46.744Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-39362 vulnerability.

Vendors	Products
Inventree	Inventree

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39362.

URL	Resource
https://github.com/inventree/InvenTree/security/advisories/GHSA-m9j7-jw3m-fr22

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability