CVE-2026-44832HIGH 8.8EPSS p23.0%

CVE-2026-44832CVE-2026-44832

Description

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.31% probability of exploitation · percentile 23.0% · 2026-06-19T12:03:05Z
Published2026-05-26
Last modified2026-05-26

Underlying weaknesses· 2

CWE-281CWE-863

References

  1. https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569
  2. https://github.com/grokability/snipe-it/security/advisories/GHSA-hq28-crg7-95pr

2

TypeTargetConfidenceTier
WeaknessImproper Preservation of Permissionscwe-2810%live
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-48507
CVE
CVE-2025-15602
CVE
CVE-2026-37709
CVE
CVE-2025-63601
CVE
CVE-2026-42562
CVE
CVE-2026-10868
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.