Impact
This vulnerability permits an authenticated user who has only the users.edit permission to elevate their own privileges to administrator by sending a specially crafted PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API fails to block the superuser key in the permissions array, so the admin flag can be set by any user who can update a user record. The weakness is improper access control and authorization bypass. An attacker who gains admin rights can modify or delete asset inventories, override licensing data, and control system configuration, potentially compromising the confidentiality, integrity, and availability of the asset management system.
Affected Systems
Snipe‑IT, a web‑based IT asset and license management platform developed by grokability, is affected. All releases before version 8.4.1 are vulnerable. The vulnerability exists across the core API in these pre‑8.4.1 releases, regardless of deployment environment.
Risk and Exploitability
The CVSS score of 8.7 indicates high severity. The EPSS score of <1% shows that exploitation is currently considered rare. The vulnerability is not listed in CISA KEV. The likely attack vector is remote application‑based, requiring an authenticated session with users.edit permission to the API. An attacker who can craft the PATCH request can immediately gain administrator privileges, enabling full control over the system. The risk is high because the compromise would provide a single account with unrestricted access to all assets and configuration settings.
OpenCVE Enrichment
Github GHSA