Improper access control in snipe-it - CVE-2026-37709

 

Improper access control in snipe-it - CVE-2026-37709

Published: May 11, 2026


Vulnerability identifier: #VU130985
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-37709
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: snipe
Affected software:
snipe-it

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper access control in app/Http/Controllers/Api/UploadedFilesController.php when handling POST requests to /api/v1/{object_type}/{id}/files. A remote user can upload a file with only view permission to execute arbitrary code.

The affected API endpoint authorizes file uploads using view permission instead of write permission and persists the uploaded file and an audit log entry.


How to mitigate CVE-2026-37709

Install security update from vendor's website.

Sources