CVE-2026-37709
Insecure Permissions in Snipe-IT Allow Arbitrary Code Execution
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grokability | snipe-it | to 8.4.1 (exc) |
| grokability | snipe-it | From 8.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-37709 is a high-severity vulnerability in the Snipe-IT asset management system versions 8.4.0 and earlier. It arises from insecure permissions in the file upload functionality.
Specifically, the vulnerability is due to improper authorization checks in the UploadedFilesController.php component, where users with only 'view' permissions could upload arbitrary files via a POST request to the API endpoint /api/v1/{object_type}/{id}/files.
This flaw allowed remote attackers to execute arbitrary code by exploiting the incorrect permission validation, which was supposed to require 'update' (write) permissions but only required 'view' permissions.
The issue was fixed in version 8.4.1 by changing the authorization check from 'view' to 'update' permissions in the store method of the UploadedFilesController.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows a remote attacker to execute arbitrary code on the affected system.
An attacker with only view permissions could upload malicious files, potentially leading to full system compromise, unauthorized data access, or disruption of services.
Because the vulnerability affects core file upload authorization, it can be exploited without user interaction or elevated privileges, increasing the risk and ease of exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the endpoint /api/v1/{object_type}/{id}/files, which is used for file uploads in the Snipe-IT system.
Specifically, detection involves checking if users with only 'view' permissions are able to upload files, which should not be allowed.
You can use network monitoring tools or web server logs to identify such POST requests.
- Use tools like tcpdump or Wireshark to capture HTTP traffic and filter for POST requests to /api/v1/*/files.
- Check web server access logs for POST requests to the file upload API endpoint.
- Use curl or similar command-line tools to test the endpoint with a user account that has only 'view' permissions to see if file uploads are allowed.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Snipe-IT to version 8.4.1 or later, where the vulnerability has been fixed by requiring 'update' permissions instead of 'view' permissions for file uploads.
Since no official workarounds are available, applying the patch or upgrading the software is critical.
Additionally, review and restrict user permissions to minimize exposure, ensuring that only trusted users have upload capabilities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users with only view permissions to upload arbitrary files and execute arbitrary code, which can lead to unauthorized data access and modification.
Such unauthorized access and potential data breaches can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.
However, the provided information does not explicitly state the direct impact on compliance with these standards.