CVE-2026-38533
Improper Authorization in Snipe-IT API Allows Privilege Escalation
Publication date: 2026-04-14
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| snipeitapp | snipe-it | 8.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper authorization flaw in Snipe-IT version 8.4.0 affecting the PUT /api/v1/users/{id} API endpoint.
It allows an authenticated user who has the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users by sending a specially crafted PUT request.
Specifically, attackers can reset passwords and deactivate accounts of other users without proper authorization checks, because the system only verifies that neither the attacker nor the target is an admin, but does not ensure that the attacker is modifying their own account.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized password resets and account deactivations of other non-admin users.
- Confidentiality impact: An attacker can authenticate as another user after resetting their password.
- Integrity impact: An attacker can overwrite passwords and account states of other users.
- Availability impact: An attacker can deactivate user accounts, causing denial of service.
Additionally, attackers can escalate privileges by resetting passwords of more privileged users like managers to access sensitive data or deactivate multiple accounts simultaneously.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious PUT requests to the /api/v1/users/{id} endpoint, especially those that modify sensitive authentication fields such as passwords or account activation status.
Detection can involve checking audit logs for password resets or account deactivations performed by users with the users.edit permission on accounts other than their own.
Suggested commands include using network traffic inspection tools (e.g., tcpdump, Wireshark) to filter HTTP PUT requests to the vulnerable endpoint, or querying application logs for such events.
- Example command to monitor HTTP PUT requests to the endpoint using tcpdump: tcpdump -i any -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'PUT /api/v1/users/'
- Example command to search application logs for password or activation changes: grep -E 'password|activated' /path/to/snipeit/logs/*
Additionally, enabling audit logging with actor ID, target ID, IP address, and timestamps can help detect exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users, including resetting passwords and deactivating accounts without proper authorization.
This improper authorization flaw can lead to unauthorized access to user accounts (confidentiality breach), unauthorized modification of user credentials (integrity breach), and denial of service by deactivating accounts (availability breach).
Such breaches can impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data, ensuring data integrity, and maintaining availability of services.
Specifically, unauthorized password resets and account deactivations could lead to unauthorized data access or loss of access for legitimate users, potentially violating data protection and security requirements mandated by these regulations.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include modifying the authorization logic in the canEditAuthFields gate to ensure that users can only modify their own authentication fields.
- Update the gate to require that the caller's user ID matches the target user's ID, preventing users from editing other users' sensitive fields.
- Require verification of the current password when non-admin users attempt to change their own password.
- Introduce a separate permission (e.g., users.edit-auth) specifically for modifying passwords and account activation states, distinct from general user editing permissions.
- Implement API rate limiting on the PUT /api/v1/users/ endpoint to prevent automated bulk attacks.
- Enable detailed audit logging for password changes and account deactivations, including actor ID, target ID, IP address, and timestamps.
- Set up alerts to detect anomalous activity patterns related to user authentication changes.