CVE-2026-38533
Received Received - Intake
Improper Authorization in Snipe-IT API Allows Privilege Escalation

Publication date: 2026-04-14

Last updated on: 2026-05-01

Assigner: MITRE

Description
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-38533
EUVD
EUVD-2026-22305
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
snipeitapp snipe-it 8.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an improper authorization flaw in Snipe-IT version 8.4.0 affecting the PUT /api/v1/users/{id} API endpoint.

It allows an authenticated user who has the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users by sending a specially crafted PUT request.

Specifically, attackers can reset passwords and deactivate accounts of other users without proper authorization checks, because the system only verifies that neither the attacker nor the target is an admin, but does not ensure that the attacker is modifying their own account.

Impact Analysis

This vulnerability can have severe impacts including unauthorized password resets and account deactivations of other non-admin users.

  • Confidentiality impact: An attacker can authenticate as another user after resetting their password.
  • Integrity impact: An attacker can overwrite passwords and account states of other users.
  • Availability impact: An attacker can deactivate user accounts, causing denial of service.

Additionally, attackers can escalate privileges by resetting passwords of more privileged users like managers to access sensitive data or deactivate multiple accounts simultaneously.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious PUT requests to the /api/v1/users/{id} endpoint, especially those that modify sensitive authentication fields such as passwords or account activation status.

Detection can involve checking audit logs for password resets or account deactivations performed by users with the users.edit permission on accounts other than their own.

Suggested commands include using network traffic inspection tools (e.g., tcpdump, Wireshark) to filter HTTP PUT requests to the vulnerable endpoint, or querying application logs for such events.

  • Example command to monitor HTTP PUT requests to the endpoint using tcpdump: tcpdump -i any -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'PUT /api/v1/users/'
  • Example command to search application logs for password or activation changes: grep -E 'password|activated' /path/to/snipeit/logs/*

Additionally, enabling audit logging with actor ID, target ID, IP address, and timestamps can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include modifying the authorization logic in the canEditAuthFields gate to ensure that users can only modify their own authentication fields.

  • Update the gate to require that the caller's user ID matches the target user's ID, preventing users from editing other users' sensitive fields.
  • Require verification of the current password when non-admin users attempt to change their own password.
  • Introduce a separate permission (e.g., users.edit-auth) specifically for modifying passwords and account activation states, distinct from general user editing permissions.
  • Implement API rate limiting on the PUT /api/v1/users/ endpoint to prevent automated bulk attacks.
  • Enable detailed audit logging for password changes and account deactivations, including actor ID, target ID, IP address, and timestamps.
  • Set up alerts to detect anomalous activity patterns related to user authentication changes.
Compliance Impact

The vulnerability allows authenticated users with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users, including resetting passwords and deactivating accounts without proper authorization.

This improper authorization flaw can lead to unauthorized access to user accounts (confidentiality breach), unauthorized modification of user credentials (integrity breach), and denial of service by deactivating accounts (availability breach).

Such breaches can impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data, ensuring data integrity, and maintaining availability of services.

Specifically, unauthorized password resets and account deactivations could lead to unauthorized data access or loss of access for legitimate users, potentially violating data protection and security requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38533. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart