SB2026051174 - Multiple vulnerabilities in snipe-it
Published: May 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-37709)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in app/Http/Controllers/Api/UploadedFilesController.php when handling POST requests to /api/v1/{object_type}/{id}/files. A remote user can upload a file with only view permission to execute arbitrary code.
The affected API endpoint authorizes file uploads using view permission instead of write permission and persists the uploaded file and an audit log entry.
2) Open redirect (CVE-ID: CVE-2026-44833)
The vulnerability allows a remote user to redirect users to malicious sites.
The vulnerability exists due to url redirection to untrusted site in Helper::getRedirectOption() when processing a redirect based on an unvalidated HTTP Referer header stored in a session variable. A remote user can poison the session with a crafted back_url value to redirect users to malicious sites.
User interaction is required when the victim clicks the "Save" action, and practical exploitation requires session poisoning.
3) Improper access control (CVE-ID: CVE-2026-44832)
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in the /api/v1/users/{id} API endpoint when handling PATCH requests with permission fields. A remote user can send a specially crafted PATCH request with permissions[admin]=1 to escalate privileges.
Exploitation requires the users.edit permission and allows modification of the attacker's own account permissions.
4) Cross-site scripting (CVE-ID: CVE-2026-44831)
The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.
The vulnerability exists due to cross-site scripting in the component checkout notes column when rendering stored notes content. A remote user can inject a malicious script into notes to execute arbitrary script code in a victim's browser.
User interaction is required, and users with component view access could be impacted.
Remediation
Install update from vendor's website.
References
- https://github.com/grokability/snipe-it/security/advisories/GHSA-xg82-2hrv-hf64
- https://github.com/grokability/snipe-it/commit/676a9958895a77de340565e7a0b17ae744664904
- https://github.com/grokability/snipe-it/security/advisories/GHSA-mghp-5cq4-v6mg
- https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373
- https://github.com/grokability/snipe-it/security/advisories/GHSA-hq28-crg7-95pr
- https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569
- https://github.com/grokability/snipe-it/security/advisories/GHSA-r42m-953q-6vjx
- https://github.com/grokability/snipe-it/commit/28f493d84d057895fbb93b6570e7393a2c2fa438