SB2026051174 - Multiple vulnerabilities in snipe-it



SB2026051174 - Multiple vulnerabilities in snipe-it

Published: May 11, 2026 Updated: June 15, 2026

Security Bulletin ID SB2026051174
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 20% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2026-37709)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper access control in app/Http/Controllers/Api/UploadedFilesController.php when handling POST requests to /api/v1/{object_type}/{id}/files. A remote user can upload a file with only view permission to execute arbitrary code.

The affected API endpoint authorizes file uploads using view permission instead of write permission and persists the uploaded file and an audit log entry.


2) Open redirect (CVE-ID: CVE-2026-44833)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to redirect users to malicious sites.

The vulnerability exists due to url redirection to untrusted site in Helper::getRedirectOption() when processing a redirect based on an unvalidated HTTP Referer header stored in a session variable. A remote user can poison the session with a crafted back_url value to redirect users to malicious sites.

User interaction is required when the victim clicks the "Save" action, and practical exploitation requires session poisoning.


3) Improper access control (CVE-ID: CVE-2026-44832)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in the /api/v1/users/{id} API endpoint when handling PATCH requests with permission fields. A remote user can send a specially crafted PATCH request with permissions[admin]=1 to escalate privileges.

Exploitation requires the users.edit permission and allows modification of the attacker's own account permissions.


4) Cross-site scripting (CVE-ID: CVE-2026-44831)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.

The vulnerability exists due to cross-site scripting in the component checkout notes column when rendering stored notes content. A remote user can inject a malicious script into notes to execute arbitrary script code in a victim's browser.

User interaction is required, and users with component view access could be impacted.


5) Improper Authorization (CVE-ID: N/A)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to delete files attached to assets.

The vulnerability exists due to improper authorization in the file deletion endpoint when handling file deletion requests for asset attachments. A remote attacker can send a crafted request to delete files attached to any asset in the system.

The issue affects both the web and API controllers.


Remediation

Install update from vendor's website.