InvenTree Deploys a Weak Password Change Mechanism in inventree/inventree


Reported on

Jun 16th 2022


When setting a new user password, InvenTree does not require knowledge of the original password or using another form of authentication.

Proof of Concept

1. Log in as a regular user 
2. Go to the account settings link
3. Select Set Password
4. Enter any 8-character password string (this form is not constrained by the common passwords blocked in initial user creation).


If an attacker can gain access to an active user session (i.e. accessing terminal when user stands up), it would not be necessary to know the victim's current password in order to fully compromise the account.

We are processing your report and will contact the inventree team within 24 hours. a year ago
Joe Helle
a year ago


If/when accepted can we please assign this a CVE?

inventree/inventree maintainer has acknowledged this report a year ago
Matthias Mair validated this vulnerability a year ago
Joe Helle has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Matthias Mair marked this as fixed in 0.8.0 with commit b9c9f5 a year ago
Matthias Mair has been awarded the fix bounty
This vulnerability will not receive a CVE
Matthias Mair
a year ago


The fix is targeted for 0.8.0 - which is yet to be released. We discussed the severity in the team and do not think a CVE is warranted.

Joe Helle
a year ago


Understood. No worries on my end.

to join this conversation