inventree/inventree-website
2
0
Fork 0
mirror of https://github.com/inventree/inventree-website.git synced 2026-03-29 23:48:52 +00:00
Code Activity

add security release warning to news and blog (#269)

Browse Source 
* add entries

* Update security release date to 2026-04-08

* Revise security release note with updated details

Updated the security release note with the fixed release date
This commit is contained in:
Matthias Mair
2026-03-26 08:10:40 +01:00
committed by GitHub
parent 9d46bbd373
commit bc41cb8a42
2 changed files with 32 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
_news/2026-03-25-security.md Normal file
View File

@@ -0,0 +1,8 @@
---
author: matmair
title: Action required - Upcoming Security Release
---
### Action required - Upcoming Security Release
There will be a security release for InvenTree on 2026-04-08 21:00 UTC. Please read the [blog post](/blog/2026/03/25/security-release) and prepare to update or take your system off the public internet.

24
_posts/2026-03-25-security-release.md Normal file
View File

@@ -0,0 +1,24 @@
---
author: matmair
title: Action required - Upcoming Security Release
---
The InvenTree core development team has received a report of a *critical security vulnerability* affecting a large range of releases since 2024. We will release a disclosure and a fixed release for the 1.2.x release series on 2026-04-08 21:00 UTC.
The vulnerability allows for lateral movement and privilege escalation within an InvenTree instance. It has a low attack complexity.
## Steps to take now
We are not aware of active exploitation of this vulnerability, but we recommend that users take the following steps to mitigate risks:
- Do *not* expose your InvenTree instance to the public internet without hardening steps as laid out in the [threat model](https://docs.inventree.org/en/stable/concepts/threat_model/)
- Ensure *registration is disabled* till the release
- Ensure you *trust all users registered* on your instance, especially those with staff or higher permissions
The vulnerability has a low complexity and can be expected to be exploited once released. It is important to prepare to update or take your system off the public internet.
## Security Policy
As always with security related themes we remind all users, security researchers, and intrested parties of our [security policy](https://inventree.readthedocs.io/en/stable/security/).
If you have discovered a security vulnerability, please report it to us via the channels described in the policy. We take all reports seriously and will work to address any vulnerabilities in a timely manner.
We would like to thank the security researcher who reported this and several other vulnerabilities in a responsible manner, and we encourage others to do the same in the future. The reporter will be credited in the disclosure and CVE entry.