Main Vulnerability Database Vulnerabilities #VU130987

Improper access control in snipe-it - CVE-2026-44832

Published: May 11, 2026

Vulnerability identifier: #VU130987

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-44832

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
snipe-it

Software vendor:
snipe

Description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in the /api/v1/users/{id} API endpoint when handling PATCH requests with permission fields. A remote user can send a specially crafted PATCH request with permissions[admin]=1 to escalate privileges.

Exploitation requires the users.edit permission and allows modification of the attacker's own account permissions.

Remediation

Install security update from vendor's website.

External links

https://github.com/grokability/snipe-it/security/advisories/GHSA-hq28-crg7-95pr
https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569

Improper access control in snipe-it - CVE-2026-44832

Description

Remediation

External links

Please verify you're human