CVE-2026-44832
Privilege Escalation in Snipe-IT via User Permissions
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| snipeitapp | snipe-it | to 8.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-281 | The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44832 is a privilege escalation vulnerability in Snipe-IT, an IT asset/license management system. Before version 8.4.1, an authenticated user who only has the users.edit permission can escalate their privileges to admin by sending a specially crafted PATCH request to the /api/v1/users/{id} endpoint with permissions[admin]=1.
The root cause is that the API controller only removes the superuser key from the permissions array but does not prevent modification of other permission keys, including admin. This allows unauthorized users who can update users to grant themselves admin rights.
This vulnerability was fixed in version 8.4.1.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with limited permissions (users.edit) to escalate their privileges to admin. This means an attacker could gain full administrative control over the Snipe-IT system.
With admin privileges, the attacker could potentially access, modify, or delete sensitive IT asset and license data, manage users, and perform other high-level administrative actions that could compromise the integrity and security of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for PATCH requests to the /api/v1/users/{id} endpoint that include the permissions[admin]=1 parameter. Such requests indicate an attempt to escalate privileges by modifying the admin permission.
You can use network monitoring or web server logs to identify these suspicious PATCH requests.
Example command using grep on web server logs to find such requests:
- grep -i 'PATCH /api/v1/users/' /path/to/access.log | grep 'permissions[admin]=1'
Alternatively, using tools like Wireshark or tcpdump to capture HTTP traffic and filter for PATCH requests to the vulnerable endpoint with the admin permission set can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade Snipe-IT to version 8.4.1 or later, where this vulnerability has been fixed.
Until the upgrade can be applied, restrict access to the /api/v1/users/{id} PATCH endpoint to only fully trusted users and monitor for suspicious privilege escalation attempts.
No other official workarounds or patches are provided beyond upgrading to the fixed version.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.