CVE-2026-44832: CWE-281: Improper Preservation of Permissions in grokability snipe-it
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1.
AI Analysis
Technical Summary
Snipe-IT versions before 8.4.1 contain a vulnerability where an authenticated user with limited editing permissions can escalate their privileges to admin by exploiting improper permission preservation in the API. Specifically, the PATCH request to /api/v1/users/{id} accepts a permissions array where the admin flag can be set by the user, as the API only removes the superuser key but not the admin key. This allows privilege escalation to admin roles. The issue is tracked as CVE-2026-44832 and is fixed in version 8.4.1.
Potential Impact
An authenticated user with users.edit permission can escalate their privileges to admin, gaining full administrative control over the Snipe-IT system. This could lead to unauthorized access to sensitive asset and license management data and administrative functions. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Snipe-IT to version 8.4.1 or later, where this vulnerability is fixed. Since the vendor advisory confirms the fix in 8.4.1, applying this official update fully mitigates the issue. No other mitigation is indicated.
CVE-2026-44832: CWE-281: Improper Preservation of Permissions in grokability snipe-it
Description
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1.
CVSS v4.0
Score 7.1high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Snipe-IT versions before 8.4.1 contain a vulnerability where an authenticated user with limited editing permissions can escalate their privileges to admin by exploiting improper permission preservation in the API. Specifically, the PATCH request to /api/v1/users/{id} accepts a permissions array where the admin flag can be set by the user, as the API only removes the superuser key but not the admin key. This allows privilege escalation to admin roles. The issue is tracked as CVE-2026-44832 and is fixed in version 8.4.1.
Potential Impact
An authenticated user with users.edit permission can escalate their privileges to admin, gaining full administrative control over the Snipe-IT system. This could lead to unauthorized access to sensitive asset and license management data and administrative functions. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Snipe-IT to version 8.4.1 or later, where this vulnerability is fixed. Since the vendor advisory confirms the fix in 8.4.1, applying this official update fully mitigates the issue. No other mitigation is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-07T21:21:48.352Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a15f7b96b9ae66727f5512a
Added to database: 5/26/2026, 7:42:49 PM
Last enriched: 5/26/2026, 7:47:27 PM
Last updated: 5/26/2026, 8:53:12 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.