Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44832

CVE-2026-44832: Snipe-IT Privilege Escalation Vulnerability

CVE-2026-44832 is a privilege escalation flaw in Snipe-IT that allows authenticated users with users.edit permission to gain admin access. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-44832 Overview

CVE-2026-44832 is a privilege escalation vulnerability in Snipe-IT, an open-source IT asset and license management system maintained by Grokability. Versions prior to 8.4.1 allow an authenticated user holding only the users.edit permission to grant themselves administrative rights. The flaw resides in the API user controller, which strips the superuser key from incoming permission arrays but leaves the admin key and other permission flags writable. By sending a crafted PATCH request to /api/v1/users/{id} with permissions[admin]=1, a low-privileged operator can elevate to admin. The issue is tracked under [CWE-281] Improper Preservation of Permissions and resolved in Snipe-IT 8.4.1.

Critical Impact

Any authenticated account with user-edit rights can self-promote to administrator, breaking the integrity of role-based access control across the asset management platform.

Affected Products

  • Snipe-IT versions prior to 8.4.1
  • Snipe-IT API endpoint /api/v1/users/{id} (PATCH handler)
  • Deployments exposing user management to non-admin operators

Discovery Timeline

  • 2026-05-26 - CVE-2026-44832 published to NVD
  • 2026-05-26 - Last updated in NVD database
  • Fixed Version - Snipe-IT 8.4.1 released with patched UsersController

Technical Details for CVE-2026-44832

Vulnerability Analysis

The vulnerability lives in the API users controller that processes permission updates. When an authenticated user submits a PATCH request to modify another user (or themselves) via /api/v1/users/{id}, the controller accepts an arbitrary permissions array. The controller's sanitization logic only filters the superuser key. Every other permission key, including admin, propagates directly into the persisted permissions JSON. As a result, the users.edit permission becomes a transitive grant for full administrative control over Snipe-IT.

Root Cause

The root cause is incomplete authorization checking on a sensitive field update. The controller treats the permissions blob as a single opaque structure rather than enforcing per-key authorization. Because admin assignment is not gated by a check that the calling user is already an admin, the privilege boundary collapses to the weaker users.edit capability.

Attack Vector

Exploitation requires only a valid API token or session for an account that has been delegated users.edit. The attacker issues a PATCH against their own user ID with the JSON body setting permissions[admin]=1. The next authenticated request from that user is honored with admin scope, granting full read and write access to assets, licenses, users, and configuration.

php
// Patched logic in app/Http/Controllers/Users/UsersController.php
// Source: https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569

// Figure out of this user was an admin before this edit
$orig_permissions_array = $user->decodePermissions();
$orig_superuser = '0';
$orig_admin = '0';
if (is_array($orig_permissions_array)) {
    if (array_key_exists('superuser', $orig_permissions_array)) {
        $orig_superuser = $orig_permissions_array['superuser'];
    }
}

if (is_array($orig_permissions_array)) {
    if (array_key_exists('admin', $orig_permissions_array)) {
        $orig_admin = $orig_permissions_array['admin'];
    }
}

The patch introduces an explicit capture of the prior admin state so the controller can compare and reject unauthorized elevation. A companion change in app/Http/Controllers/Api/UsersController.php ensures permissions are encoded as JSON before storage:

php
// Source: https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569
$user->permissions = json_encode($permissions_array);

Detection Methods for CVE-2026-44832

Indicators of Compromise

  • PATCH requests to /api/v1/users/{id} containing permissions[admin]=1 or equivalent JSON body originating from non-admin sessions.
  • Audit log entries showing a user's admin flag transitioning from 0 to 1 without a corresponding admin actor.
  • Sudden appearance of new admin-only actions (settings changes, user creation, backup downloads) initiated by accounts previously limited to user editing.

Detection Strategies

  • Parse Snipe-IT web server logs for PATCH /api/v1/users/ requests and correlate the request body against the actor's pre-existing role.
  • Compare the current permissions JSON stored in the users table against historical snapshots to flag unauthorized admin grants.
  • Alert on any role escalation event where the modifying user is not already an administrator.

Monitoring Recommendations

  • Enable verbose API access logging on the Snipe-IT application server and forward logs to a centralized analytics platform.
  • Track API token usage patterns, especially tokens belonging to support or help-desk roles that legitimately need users.edit.
  • Review newly elevated administrator accounts on a recurring basis and validate the change ticket trail.

How to Mitigate CVE-2026-44832

Immediate Actions Required

  • Upgrade Snipe-IT to version 8.4.1 or later as the primary remediation.
  • Audit the current administrator list and revoke any accounts that were elevated outside of authorized change windows.
  • Rotate API tokens for accounts holding users.edit permission to invalidate any tokens captured during the exposure window.

Patch Information

The fix is delivered in Snipe-IT 8.4.1 via commit ce18ff669ceb0f0349749fd5d11c1d3d40b10569. Refer to the GitHub Security Advisory GHSA-hq28-crg7-95pr for vendor guidance. The patch hardens both the API and web UsersController to capture the prior admin state and reject unauthorized elevation.

Workarounds

  • Restrict the users.edit permission to administrators until the upgrade is applied.
  • Place the Snipe-IT API behind a web application firewall rule that blocks PATCH requests to /api/v1/users/ containing an admin key in the permissions body.
  • Disable or restrict API token issuance for non-admin roles during the remediation window.
bash
# Example WAF rule (ModSecurity) to block admin elevation attempts
SecRule REQUEST_METHOD "@streq PATCH" \
  "chain,phase:2,deny,status:403,id:1004483,msg:'Snipe-IT CVE-2026-44832 admin elevation attempt'"
  SecRule REQUEST_URI "@rx ^/api/v1/users/[0-9]+" \
    "chain"
    SecRule REQUEST_BODY "@rx permissions(\[|%5B)admin(\]|%5D)\s*=\s*[\"']?1" "t:lowercase"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.