Description
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1.
Published: 2026-05-26
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an authenticated user who has only the users.edit permission to elevate their own privileges to full administrator. By issuing a PATCH request to /api/v1/users/{id} with the payload permissions[admin]=1, the API does not properly filter the superuser key, meaning the admin flag can be set by any user who can update a user record. The weakness is identified as CWE-281 (Improper Access Control) and CWE-863 (Information Exposure through Authorization Checks).

Affected Systems

Snipe-IT, version prior to 8.4.1, owned by grokability. The affected system is a web-based asset and license management application in which user accounts can be modified via its REST API. The vulnerability is present in all releases before 8.4.1. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 7.1 indicates medium to high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote application-based, requiring only API access and the users.edit permission. An attacker who can execute a PATCH request against the API can gain administrator rights, potentially compromising all aspects of the system, including asset inventory, licensing data, and internal controls.

Generated by OpenCVE AI on May 26, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Snipe-IT version 8.4.1 or later to apply the official fix that removes the ability to set the admin flag via this API call.
  • If an upgrade is delayed, revoke or restrict the users.edit permission from all non-administrative accounts to prevent unauthorized privilege escalation.
  • Continuously monitor API logs for attempts to change the admin flag or other elevated permissions, and alert administrators to suspicious activity.

Generated by OpenCVE AI on May 26, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hq28-crg7-95pr Snipe-IT has Privilege Escalation via API Permissions Assignment
History

Tue, 26 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Grokability
Grokability snipe-it
Snipeitapp
Snipeitapp snipe-it
CPEs cpe:2.3:a:snipeitapp:snipe-it:*:*:*:*:*:*:*:*
Vendors & Products Grokability
Grokability snipe-it
Snipeitapp
Snipeitapp snipe-it
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 26 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1.
Title Snipe-IT: Privilege Escalation via API Permissions Assignment
Weaknesses CWE-281
CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Grokability Snipe-it
Snipeitapp Snipe-it
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T19:29:31.026Z

Reserved: 2026-05-07T21:21:48.352Z

Link: CVE-2026-44832

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T20:16:20.183

Modified: 2026-05-26T20:38:35.380

Link: CVE-2026-44832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:30:15Z

Weaknesses