High severityNVD Advisory· Published Jun 14, 2024· Updated Aug 1, 2024

Broken Function Level Authorization (BFLA) in snipe/snipe-it

CVE-2024-5685

Description

Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Users with 'User:edit' and 'Self:api' permissions can escalate privileges by modifying group memberships via API in Snipe-IT.

Root

Cause

The vulnerability stems from insufficient authorization checks in the user update API endpoint. Users possessing both "User:edit" and "Self:api" permissions were able to modify group memberships of any user, including themselves, without requiring superuser status. The code that handled group syncing did not properly gate the operation behind a superuser check, allowing non-superusers to alter group associations via API calls [1].

Exploitation

An attacker with the requisite permissions can send a crafted API request to the user update endpoint, including a groups parameter. The application would then change the target user's group memberships, even if the attacker is not a superuser. No additional authentication bypass is needed; the vulnerability is exercised through normal API usage for users who have been granted these permissions [1][3].

Impact

By promoting themselves or others to groups with elevated privileges, an attacker can achieve privilege escalation. For example, adding a user to a group with superuser rights effectively grants full administrative control over the Snipe-IT instance, leading to complete compromise of the application and its data [1].

Mitigation

The issue is fixed in Snipe-IT version 6.4.2. The fix refactors the group syncing logic to ensure that only superusers can modify group memberships via the API [3][4]. Users running versions from 4.6.17 through 6.4.1 should upgrade to 6.4.2 or later to remediate the vulnerability.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
snipe/snipe-itPackagist	< 6.4.2	6.4.2

Affected products

ghsa-coords
pkg:composer/snipe/snipe-it
Range: < 6.4.2
snipe/snipe-itv5
Range: v4.6.17

Patches

34f1ea1c0ecd

Re-order gating and refactor group syncing

https://github.com/snipe/snipe-itsnipeMay 21, 2024via ghsa

commit

1 file changed · +7 −19

app/Http/Controllers/Api/UsersController.php+7 −19 modified

@@ -475,7 +475,7 @@ public function update(SaveUserRequest $request, $id)
         if ($request->has('permissions')) {
             $permissions_array = $request->input('permissions');
 
-            // Strip out the superuser permission if the API user isn't a superadmin
+            // Strip out the individual superuser permission if the API user isn't a superadmin
             if (! Auth::user()->isSuperUser()) {
                 unset($permissions_array['superuser']);
             }
@@ -493,32 +493,20 @@ public function update(SaveUserRequest $request, $id)
           
         if ($user->save()) {
 
-            // Check if the request has groups passed and has a value
-            if ($request->filled('groups')) {
+            // Check if the request has groups passed and has a value, AND that the user us a superuser
+            if (($request->has('groups')) && (Auth::user()->isSuperUser())) {
 
                 $validator = Validator::make($request->all(), [
                     'groups.*' => 'integer|exists:permission_groups,id',
                 ]);
-                
-                if ($validator->fails()){
-                    return response()->json(Helper::formatStandardApiResponse('error', null, $user->getErrors()));
-                }
 
-                // Only save groups if the user is a superuser
-                if (Auth::user()->isSuperUser()) {
-                    $user->groups()->sync($request->input('groups'));
-                }
+                $user->groups()->sync($request->input('groups'));
 
-            // The groups field has been passed but it is null, so we should blank it out
-            } elseif ($request->has('groups')) {
-                
-                // Only save groups if the user is a superuser
-                if (Auth::user()->isSuperUser()) {
-                    $user->groups()->sync($request->input('groups'));
+                if ($validator->fails()) {
+                    return response()->json(Helper::formatStandardApiResponse('error', null, $user->getErrors()));
                 }
-            }
-
 
+            }
             return response()->json(Helper::formatStandardApiResponse('success', (new UsersTransformer)->transformUser($user), trans('admin/users/message.success.update')));
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

advisory.checkmarx.netghsathird-party-advisoryWEB
devhub.checkmarx.com/cve-details/CVE-2024-5685/mitrethird-party-advisory
github.com/advisories/GHSA-544r-fc65-v832ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-5685ghsaADVISORY
devhub.checkmarx.com/cve-details/CVE-2024-5685ghsaWEB
github.com/snipe/snipe-it/commit/34f1ea1c0ecd403047cd1327569ee391a7201cc1ghsaWEB
github.com/snipe/snipe-it/pull/14745ghsaWEB
github.com/snipe/snipe-it/releases/tag/v6.4.2ghsarelease-notesWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000