CVE Catalog

CVE-2026-44832

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

23th percentile - higher than 23% of all known CVEs

Summary

In Snipe-IT prior to 8.4.1, an authenticated user with only users.edit permission can escalate their privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users.

Risk Assessment

The organization is at risk of unauthorized full system takeover by a regular user, potentially leading to data theft, configuration changes, or complete compromise of IT asset management.

Recommendation

Immediately upgrade Snipe-IT to version 8.4.1 or later, which includes a fix that removes the privilege escalation vulnerability.

Original NVD description (English source)

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS