CVE-2026-38533 Overview
CVE-2026-38533 is an improper authorization vulnerability [CWE-285] in Snipe-IT v8.4.0, an open-source IT asset management application. The flaw resides in the /api/v1/users/{id} endpoint and allows authenticated attackers holding the users.edit permission to modify sensitive authentication and account-state fields belonging to other non-admin users. Exploitation occurs through a crafted HTTP PUT request and does not require administrative privileges.
Critical Impact
Attackers with limited users.edit rights can alter other users' authentication data, enabling account takeover of non-admin accounts within the Snipe-IT deployment.
Affected Products
- Snipe-IT v8.4.0
- Snipe-IT REST API /api/v1/users/{id} endpoint
- Self-hosted Snipe-IT instances exposing the user management API
Discovery Timeline
- 2026-04-14 - CVE-2026-38533 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-38533
Vulnerability Analysis
The vulnerability stems from insufficient authorization checks on the user update endpoint in Snipe-IT v8.4.0. The application validates that the requester holds the users.edit permission but fails to restrict which fields that permission allows modification of, and against which target accounts. As a result, a low-privileged authenticated user with editing rights can issue PUT requests targeting other non-admin users and overwrite authentication-related and account-state attributes that should be limited to administrators.
Because the endpoint accepts modifications to sensitive fields, attackers can manipulate values that govern access to the application. This breaks the role separation model and converts a delegated editing capability into a path for horizontal privilege escalation against other non-admin accounts.
Root Cause
The root cause is missing field-level and target-level authorization on the /api/v1/users/{id} PUT handler. The endpoint enforces a broad permission check but does not enforce per-field policy or validate that the authenticated principal should be allowed to alter the targeted account's authentication state. This maps to CWE-285: Improper Authorization.
Attack Vector
Exploitation requires network access to the Snipe-IT API and an authenticated session with the users.edit permission. The attacker crafts a PUT request to /api/v1/users/{id}, where {id} corresponds to a victim non-admin user, and includes a JSON body containing sensitive authentication or account-state fields. The server applies the changes without re-validating authorization at the field level. A proof-of-concept request flow is documented in the GitHub PoC for CVE-2026-38533.
Detection Methods for CVE-2026-38533
Indicators of Compromise
- PUT requests to /api/v1/users/{id} originating from non-administrative API tokens or sessions
- Unexpected modifications to authentication fields on non-admin user records in the Snipe-IT database audit log
- API activity from users.edit role holders that targets user IDs other than their own
- Sudden inability of legitimate users to authenticate following an API update event
Detection Strategies
- Enable and review Snipe-IT's built-in activity log for User model updates, correlating actor identity with target user IDs
- Alert on PUT requests to /api/v1/users/{id} where the request body contains password, email, or activation-state fields
- Baseline expected API consumers and flag deviations where users.edit accounts mutate other accounts
Monitoring Recommendations
- Forward Snipe-IT application logs and reverse proxy access logs to a centralized logging platform for retention and correlation
- Track API token usage patterns and rotate tokens that exhibit anomalous user-modification behavior
- Periodically audit role assignments to confirm that the users.edit permission is granted only to trusted administrators
How to Mitigate CVE-2026-38533
Immediate Actions Required
- Restrict the users.edit permission to administrators until a fixed Snipe-IT version is deployed
- Place the /api/v1/users/{id} endpoint behind a reverse proxy ACL that limits access to trusted networks
- Audit existing user accounts for unauthorized changes to authentication or account-state fields
- Rotate credentials and API tokens for any account suspected of being modified through this endpoint
Patch Information
At the time of publication, refer to the GitHub Advisory for CVE-2026-38533 and the Snipe-IT Application Homepage for the latest release notes and fixed versions. Upgrade beyond Snipe-IT v8.4.0 once a patched build is available from the vendor.
Workarounds
- Remove the users.edit permission from non-administrative roles to eliminate the prerequisite for exploitation
- Deploy a web application firewall rule that blocks PUT requests to /api/v1/users/{id} containing password or activation fields from non-admin tokens
- Enable multi-factor authentication on all Snipe-IT accounts to limit the impact of altered authentication data
- Increase audit log review cadence for the User model until the patched release is installed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

