Critical severity9.8GHSA Advisory· Published May 7, 2026· Updated May 12, 2026

CVE-2026-37709

Description

Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
snipe/snipe-itPackagist	< 8.4.1	8.4.1

Affected products

Grokability/Snipe ItGHSA
Range: < 8.4.1

Patches

676a9958895a

Use update check for files controller api

https://github.com/grokability/snipe-itsnipeMar 10, 2026via ghsa

commit

1 file changed · +1 −1

app/Http/Controllers/Api/UploadedFilesController.php+1 −1 modified

@@ -93,7 +93,7 @@ public function store(UploadFileRequest $request, $object_type, $id) : JsonRespo
 
         // Check the permissions to make sure the user can view the object
         $object = self::$map_object_type[$object_type]::withTrashed()->find($id);
-        $this->authorize('view', $object);
+        $this->authorize('update', $object);
 
         if (!$object) {
             return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.file_upload_status.invalid_object')));

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/grokability/snipe-it/commit/676a9958895a77de340565e7a0b17ae744664904nvdPatchWEB
github.com/grokability/snipe-it/security/advisories/GHSA-xg82-2hrv-hf64nvdPatchVendor AdvisoryWEB
github.com/advisories/GHSA-xg82-2hrv-hf64ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-37709ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000