CVE-2026-44832

EPSS 0.01%

Snipe-IT has Privilege Escalation via API Permissions Assignment

Published: 5/8/2026Modified: 5/8/2026

Description

### Impact An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users. ### Patches Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1 ### Workarounds None.

Affected packages (1)

Packagist/snipe/snipe-itfrom 0, < 8.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References (3)

PATCHhttps://github.com/grokability/snipe-it
WEBhttps://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569
WEBhttps://github.com/grokability/snipe-it/security/advisories/GHSA-hq28-crg7-95pr