Volerion logoVolerion
Volerion logoVolerion

Snipe-IT Open Redirect Vulnerability

Vulnerability

An open redirect vulnerability has been identified in Snipe-IT, an IT asset and license management system, prior to version 8.4.1. This vulnerability allows attackers to redirect users to malicious websites by exploiting an unvalidated HTTP Referer header stored in a session variable. The issue has been addressed in version 8.4.1.

Impact

Exploitation of this vulnerability could lead to open redirection, allowing attackers to redirect users to malicious sites. This could be used for phishing attacks, session hijacking, malware distribution, damaging the application's reputation, or for social engineering purposes.

Reproduction

To reproduce this vulnerability, a session must be poisoned to include a malicious URL in the 'Referer' header. Once the session is set up, navigate to a Snipe-IT page that processes redirect options. After clicking 'Save', the application will redirect to the attacker's site, using the poisoned 'Referer' header to validate the redirect.

Remediation

Users are advised to update to Snipe-IT version 8.4.1 or later, where this vulnerability has been patched.

Added: May 26, 2026, 10:07 PM
Updated: May 26, 2026, 10:07 PM

Vulnerability Rating

Custom Algorithm
spread
3.1
impact
0.2
exploitability
7.4
remediation
7.7
relevance
9.6
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.