VYPR
Get started
← All advisories
High severityGHSA Advisory· Published May 8, 2026

Snipe-IT has Privilege Escalation via API Permissions Assignment

CVE-2026-44832

Description

Impact

An authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users.

Patches

Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1

Workarounds

None.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
snipe/snipe-itPackagist
< 8.4.18.4.1

Affected products

1

Patches

1
ce18ff669ceb

Added admin check

https://github.com/grokability/snipe-itsnipeMar 12, 2026via ghsa
commit
2 files changed · +13 1
  • app/Http/Controllers/Api/UsersController.php+1 1 modified
    @@ -462,7 +462,7 @@ public function store(SaveUserRequest $request) : JsonResponse
                 }
             }
 
-            $user->permissions = $permissions_array;
+            $user->permissions = json_encode($permissions_array);
         }
 
         //
  • app/Http/Controllers/Users/UsersController.php+12 0 modified
    @@ -259,12 +259,19 @@ public function update(SaveUserRequest $request, User $user)
         // Figure out of this user was an admin before this edit
         $orig_permissions_array = $user->decodePermissions();
         $orig_superuser = '0';
+        $orig_admin = '0';
         if (is_array($orig_permissions_array)) {
             if (array_key_exists('superuser', $orig_permissions_array)) {
                 $orig_superuser = $orig_permissions_array['superuser'];
             }
         }
 
+        if (is_array($orig_permissions_array)) {
+            if (array_key_exists('admin', $orig_permissions_array)) {
+                $orig_admin = $orig_permissions_array['admin'];
+            }
+        }
+
 
         // Update the user fields
 
@@ -323,6 +330,11 @@ public function update(SaveUserRequest $request, User $user)
                 $permissions_array['superuser'] = $orig_superuser;
             }
 
+            if ((! auth()->user()->isSuperUser()) && (! auth()->user()->isAdmin())) {
+                unset($permissions_array['admin']);
+                $permissions_array['admin'] = $orig_admin;
+            }
+
             $user->permissions = json_encode($permissions_array);
 
             // Only save groups if the user is a superuser

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.