Improper access control in snipe-it - CVE-2026-37709
Published: May 11, 2026
Vulnerability identifier: #VU130985
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-37709
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
snipe-it
snipe-it
Software vendor:
snipe
snipe
Description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in app/Http/Controllers/Api/UploadedFilesController.php when handling POST requests to /api/v1/{object_type}/{id}/files. A remote user can upload a file with only view permission to execute arbitrary code.
The affected API endpoint authorizes file uploads using view permission instead of write permission and persists the uploaded file and an audit log entry.
Remediation
Install security update from vendor's website.