Medium severity6.5NVD Advisory· Published Apr 14, 2026· Updated May 1, 2026
CVE-2026-38533
CVE-2026-38533
Description
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:snipeitapp:snipe-it:8.4.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:snipeitapp:snipe-it:8.4.0:*:*:*:*:*:*:*
- (no CPE)range: = 8.4.0
Patches
Vulnerability mechanics
References
3- github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2026-38533/poc.mdnvdExploitThird Party Advisory
- github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38533nvdExploitThird Party AdvisoryMitigation
- snipeitapp.comnvdProduct
News mentions
0No linked articles in our index yet.