CVE-2026-44832: Snipe-IT has Privilege Escalation via API Permissions Assignment

May 8, 2026

An authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users.

References

github.com/advisories/GHSA-hq28-crg7-95pr
github.com/grokability/snipe-it
github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569
github.com/grokability/snipe-it/security/advisories/GHSA-hq28-crg7-95pr
nvd.nist.gov/vuln/detail/CVE-2026-44832

Code Behaviors & Features

Detect and mitigate CVE-2026-44832 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →