Primary

Context

Snipe-IT Privilege Escalation Vulnerability in User Permissions API

Vulnerability

Patched

A privilege escalation vulnerability has been identified in Snipe-IT versions prior to 8.4.1. An authenticated user with 'users.edit' permission can elevate their privileges to admin by sending a PATCH request to the user permissions API endpoint. The API improperly handles the permissions array by only removing the 'superuser' key, allowing the 'admin' key and others to be modified by any user with permission to edit users.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, granting a user admin rights.

Remediation

Users can upgrade to Snipe-IT version 8.4.1 or later to address this vulnerability.

Added: May 26, 2026, 10:08 PM

Updated: May 26, 2026, 10:08 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

5.9

remediation

7.7

relevance

9.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

5.9

remediation

7.7

relevance

9.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Snipe-IT Privilege Escalation Vulnerability in User Permissions API

Vulnerability

Impact

Remediation

Affected Products

Snipe-IT

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating