CVE-2026-44832
published 2026-05-26CVE-2026-44832: Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to…
PriorityP355high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.31%
23.1th percentile
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grokability | snipe-it | < 8.4.1 | 8.4.1 |
| snipe | snipe-it | >= 0 < 8.4.1 | 8.4.1 |
| snipeitapp | snipe-it | < 8.4.1 | 8.4.1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Grokability Snipe-IT up to 8.4.0 permissions
vuldb·2026-05-26·CVSS 7.1
CVE-2026-44832 [HIGH] Grokability Snipe-IT up to 8.4.0 permissions
A vulnerability was found in Grokability Snipe-IT up to 8.4.0. It has been declared as critical. This issue affects some unknown processing. Such manipulation leads to preservation of permissions.
This vulnerability is listed as CVE-2026-44832. The attack may be performed from remote. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
Snipe-IT has Privilege Escalation via API Permissions Assignment
ghsa·2026-05-08
CVE-2026-44832 [HIGH] CWE-281 Snipe-IT has Privilege Escalation via API Permissions Assignment
Snipe-IT has Privilege Escalation via API Permissions Assignment
### Impact
An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users.
### Patches
Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1
### Workarounds
None.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-26
Published