CVE-2026-44832

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.4.1

Description An authenticated user possessing only the users.edit permission can escalate their privileges to administrator. This occurs by sending a PATCH request to the '/api/v1/users/{id}' endpoint with the permissions[admin] variable set to 1. The API controller fails to properly validate the permissions array, stripping only the superuser key while allowing the admin and other permission keys to be modified by any user with update capabilities.

Recommendations Update to version 8.4.1.

Fix

LPE

Improper Preservation of Permissions

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-281CWE-863

Related Identifiers

CVE-2026-44832

GHSA-HQ28-CRG7-95PR

Affected Products

Snipe-It

Snipe/Snipe-It

CVE-2026-44832

Weakness Enumeration

Related Identifiers

Affected Products

References · 6