Description
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1.
Published: 2026-05-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability permits an authenticated user who has only the users.edit permission to elevate their own privileges to administrator by sending a specially crafted PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API fails to block the superuser key in the permissions array, so the admin flag can be set by any user who can update a user record. The weakness is improper access control and authorization bypass. An attacker who gains admin rights can modify or delete asset inventories, override licensing data, and control system configuration, potentially compromising the confidentiality, integrity, and availability of the asset management system.

Affected Systems

Snipe‑IT, a web‑based IT asset and license management platform developed by grokability, is affected. All releases before version 8.4.1 are vulnerable. The vulnerability exists across the core API in these pre‑8.4.1 releases, regardless of deployment environment.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. The EPSS score of <1% shows that exploitation is currently considered rare. The vulnerability is not listed in CISA KEV. The likely attack vector is remote application‑based, requiring an authenticated session with users.edit permission to the API. An attacker who can craft the PATCH request can immediately gain administrator privileges, enabling full control over the system. The risk is high because the compromise would provide a single account with unrestricted access to all assets and configuration settings.

Generated by OpenCVE AI on July 10, 2026 at 04:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Snipe‑IT 8.4.1 or later to apply the official fix that blocks admin flag changes via the API.
  • If an upgrade is delayed, ensure that only accounts with administrative rights retain the users.edit permission to prevent privilege escalation.
  • Continuously monitor API logs for attempts to modify user permissions and alert administrators of suspicious activity.

Generated by OpenCVE AI on July 10, 2026 at 04:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hq28-crg7-95pr Snipe-IT has Privilege Escalation via API Permissions Assignment
History

Thu, 02 Jul 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Wed, 27 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 26 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Grokability
Grokability snipe-it
Snipeitapp
Snipeitapp snipe-it
CPEs cpe:2.3:a:snipeitapp:snipe-it:*:*:*:*:*:*:*:*
Vendors & Products Grokability
Grokability snipe-it
Snipeitapp
Snipeitapp snipe-it
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Tue, 26 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1.
Title Snipe-IT: Privilege Escalation via API Permissions Assignment
Weaknesses CWE-281
CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Grokability Snipe-it
Snipeitapp Snipe-it
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-02T14:48:03.288Z

Reserved: 2026-05-07T21:21:48.352Z

Link: CVE-2026-44832

cve-icon Vulnrichment

Updated: 2026-05-27T14:05:38.638Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T20:16:20.183

Modified: 2026-06-17T10:51:24.423

Link: CVE-2026-44832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T04:45:04Z

Weaknesses
  • CWE-281

    Improper Preservation of Permissions

  • CWE-863

    Incorrect Authorization