CVE-2026-44832
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk23th percentile - higher than 23% of all known CVEs
Summary
In Snipe-IT prior to 8.4.1, an authenticated user with only users.edit permission can escalate their privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users.
Risk Assessment
The organization is at risk of unauthorized full system takeover by a regular user, potentially leading to data theft, configuration changes, or complete compromise of IT asset management.
Recommendation
Immediately upgrade Snipe-IT to version 8.4.1 or later, which includes a fix that removes the privilege escalation vulnerability.
Original NVD description (English source)
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1.

