Description
Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component
Published: 2026-05-07
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the UploadedFilesController.php of Grokability Snipe‑IT and arises from insecure file‑system permissions. A remote user can upload a crafted file through the API, causing the application to execute arbitrary code and thereby compromising confidentiality, integrity, and availability. The weakness is a classic example of improper authorization (CWE‑284).

Affected Systems

Grokability Snipe‑IT version 8.4.0 and any earlier release are affected. The defect is resolved in commits released after 2026‑03‑10 (commit 676a9958), so installations that have not applied that update remain vulnerable.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and the lack of an EPSS score means exact exploitation likelihood cannot be quantified, though the public advisory suggests it is a high risk target. The vulnerability is not listed in the CISA KEV catalog. Exploitation is performed remotely by sending a malicious file via the upload API endpoint; successful exploitation would grant the attacker full control of the application server.

Generated by OpenCVE AI on May 7, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Snipe‑IT installation to a release that includes the 2026‑03‑10 commit 676a9958, which corrects the permission issue.
  • Re‑configure the upload directory, ensuring it runs with the least privilege and that only trusted users have write access.
  • Activate logging and monitoring for the file‑upload API endpoints, and implement rate limiting or additional controls to detect and deter brute‑force attempts.

Generated by OpenCVE AI on May 7, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Insecure Permissions in Snipe‑IT Allow Remote Code Execution

Thu, 07 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Insecure Permissions Allowing Remote Arbitrary Code Execution in Snipe‑IT
Weaknesses CWE-732

Thu, 07 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Grokability
Grokability snipe-it
Vendors & Products Grokability
Grokability snipe-it

Thu, 07 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Insecure Permissions Allowing Remote Arbitrary Code Execution in Snipe‑IT
Weaknesses CWE-732

Thu, 07 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component
References

Subscriptions

Grokability Snipe-it
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T17:39:49.914Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37709

cve-icon Vulnrichment

Updated: 2026-05-07T17:37:31.203Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T18:16:19.013

Modified: 2026-05-07T18:50:25.993

Link: CVE-2026-37709

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:45:36Z

Weaknesses