CVE-2026-44832
8.8 HIGHSnipe-IT is an IT asset/license management system
Published: 2026-05-26 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-281, CWE-863
Affected products
| Vendor | Product |
|---|---|
| snipeitapp | snipe-it |
Description
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-48507 — Snipe-IT is an IT asset/license management system (7.1 HIGH)
- CVE-2026-44833 — Snipe-IT is an IT asset/license management system (5.9 MEDIUM)
- CVE-2026-44831 — Snipe-IT is an IT asset/license management system (4.8 MEDIUM)
Same CWE
- CVE-2026-24724 — An incorrect authorization vulnerability has been reported to affect File Station 6
- CVE-2026-48303 — Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization vulnerability that could re... (10.0 CRITICAL)
- CVE-2026-47929 — ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary c... (8.4 HIGH)
- CVE-2026-47910 — Dreamweaver Desktop versions 21.7 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary file ... (6.3 MEDIUM)
- CVE-2026-41852 — A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within r... (3.7 LOW)