Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-38533

CVE-2026-38533: Snipe-IT Auth Bypass Vulnerability

CVE-2026-38533 is an authentication bypass flaw in Snipeitapp Snipe-IT that allows attackers with users.edit permission to modify sensitive fields of other users. This post covers technical details, affected versions, impact, and mitigation.

Updated:

CVE-2026-38533 Overview

CVE-2026-38533 is an improper authorization vulnerability [CWE-285] in Snipe-IT v8.4.0, an open-source IT asset management application. The flaw resides in the /api/v1/users/{id} endpoint and allows authenticated attackers holding the users.edit permission to modify sensitive authentication and account-state fields belonging to other non-admin users. Exploitation occurs through a crafted HTTP PUT request and does not require administrative privileges.

Critical Impact

Attackers with limited users.edit rights can alter other users' authentication data, enabling account takeover of non-admin accounts within the Snipe-IT deployment.

Affected Products

  • Snipe-IT v8.4.0
  • Snipe-IT REST API /api/v1/users/{id} endpoint
  • Self-hosted Snipe-IT instances exposing the user management API

Discovery Timeline

  • 2026-04-14 - CVE-2026-38533 published to NVD
  • 2026-05-01 - Last updated in NVD database

Technical Details for CVE-2026-38533

Vulnerability Analysis

The vulnerability stems from insufficient authorization checks on the user update endpoint in Snipe-IT v8.4.0. The application validates that the requester holds the users.edit permission but fails to restrict which fields that permission allows modification of, and against which target accounts. As a result, a low-privileged authenticated user with editing rights can issue PUT requests targeting other non-admin users and overwrite authentication-related and account-state attributes that should be limited to administrators.

Because the endpoint accepts modifications to sensitive fields, attackers can manipulate values that govern access to the application. This breaks the role separation model and converts a delegated editing capability into a path for horizontal privilege escalation against other non-admin accounts.

Root Cause

The root cause is missing field-level and target-level authorization on the /api/v1/users/{id} PUT handler. The endpoint enforces a broad permission check but does not enforce per-field policy or validate that the authenticated principal should be allowed to alter the targeted account's authentication state. This maps to CWE-285: Improper Authorization.

Attack Vector

Exploitation requires network access to the Snipe-IT API and an authenticated session with the users.edit permission. The attacker crafts a PUT request to /api/v1/users/{id}, where {id} corresponds to a victim non-admin user, and includes a JSON body containing sensitive authentication or account-state fields. The server applies the changes without re-validating authorization at the field level. A proof-of-concept request flow is documented in the GitHub PoC for CVE-2026-38533.

Detection Methods for CVE-2026-38533

Indicators of Compromise

  • PUT requests to /api/v1/users/{id} originating from non-administrative API tokens or sessions
  • Unexpected modifications to authentication fields on non-admin user records in the Snipe-IT database audit log
  • API activity from users.edit role holders that targets user IDs other than their own
  • Sudden inability of legitimate users to authenticate following an API update event

Detection Strategies

  • Enable and review Snipe-IT's built-in activity log for User model updates, correlating actor identity with target user IDs
  • Alert on PUT requests to /api/v1/users/{id} where the request body contains password, email, or activation-state fields
  • Baseline expected API consumers and flag deviations where users.edit accounts mutate other accounts

Monitoring Recommendations

  • Forward Snipe-IT application logs and reverse proxy access logs to a centralized logging platform for retention and correlation
  • Track API token usage patterns and rotate tokens that exhibit anomalous user-modification behavior
  • Periodically audit role assignments to confirm that the users.edit permission is granted only to trusted administrators

How to Mitigate CVE-2026-38533

Immediate Actions Required

  • Restrict the users.edit permission to administrators until a fixed Snipe-IT version is deployed
  • Place the /api/v1/users/{id} endpoint behind a reverse proxy ACL that limits access to trusted networks
  • Audit existing user accounts for unauthorized changes to authentication or account-state fields
  • Rotate credentials and API tokens for any account suspected of being modified through this endpoint

Patch Information

At the time of publication, refer to the GitHub Advisory for CVE-2026-38533 and the Snipe-IT Application Homepage for the latest release notes and fixed versions. Upgrade beyond Snipe-IT v8.4.0 once a patched build is available from the vendor.

Workarounds

  • Remove the users.edit permission from non-administrative roles to eliminate the prerequisite for exploitation
  • Deploy a web application firewall rule that blocks PUT requests to /api/v1/users/{id} containing password or activation fields from non-admin tokens
  • Enable multi-factor authentication on all Snipe-IT accounts to limit the impact of altered authentication data
  • Increase audit log review cadence for the User model until the patched release is installed

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.