CVE-2026-38533

Name of the Vulnerable Software and Affected Versions Snipe-IT version 8.4.0

Description Improper authorization in the '/api/v1/users/{id}' endpoint allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users by sending a crafted PUT request.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.