Medium severity6.5NVD Advisory· Published Apr 14, 2026· Updated May 1, 2026
CVE-2026-38533
CVE-2026-38533
Description
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.
Affected products
1- cpe:2.3:a:snipeitapp:snipe-it:8.4.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2026-38533/poc.mdnvdExploitThird Party Advisory
- github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38533nvdExploitThird Party AdvisoryMitigation
- snipeitapp.comnvdProduct
News mentions
0No linked articles in our index yet.