CVE-2026-44832

UNKNOWN 0.0

Snipe-IT: Privilege Escalation via API Permissions Assignment

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

2th

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1.

CWE	CWE-281 CWE-863
Vendor	grokability
Product	snipe-it
Published	May 26, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for grokability snipe-it

Be the first to know when new unknown vulnerabilities affecting grokability snipe-it are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

grokability / snipe-it

< 8.4.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/grokability/snipe-it/security/advisories/GHSA-hq28-crg7-95pr github.com: https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569