EXECUTIVE SUMMARY:
Two vulnerabilities have been discovered in Snipe-IT, an open-source IT asset management platform, which could allow attackers to gain unauthorized privileges or execute malicious code remotely. The first issue stems from improper access control in the file upload API, enabling unauthorized users to upload files that may lead to remote code execution (RCE). The second issue is a privilege escalation flaw where authenticated users with limited permissions can manipulate API requests to assign themselves administrative rights. Organizations using affected deployments are strongly advised to apply the latest updates and review their environments for any signs of unauthorized access or misuse. CVE-2026-37709 with a CVSS score of 9.8 – A improper access control vulnerability in Snipe-IT allows remote attackers to upload malicious files through the /api/v1/{object_type}/{id}/files endpoint due to incorrect permission validation using “view” access instead of write permissions. This flaw may lead to arbitrary code execution and full compromise of the affected application server. CVE-2026-44832 with a CVSS score of 7.1 - A privilege escalation vulnerability in Snipe-IT allows authenticated users with users.edit permission to elevate their privileges to administrator level via crafted PATCH requests to the user management API. The issue exists because the application improperly validates permission assignments and fails to restrict sensitive permission keys.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Two vulnerabilities have been discovered in Snipe-IT, an open-source IT asset management platform, which could allow attackers to gain unauthorized privileges or execute malicious code remotely. The first issue stems from improper access control in the file upload API, enabling unauthorized users to upload files that may lead to remote code execution (RCE). The second issue is a privilege escalation flaw where authenticated users with limited permissions can manipulate API requests to assign themselves administrative rights. Organizations using affected deployments are strongly advised to apply the latest updates and review their environments for any signs of unauthorized access or misuse. CVE-2026-37709 with a CVSS score of 9.8 – A improper access control vulnerability in Snipe-IT allows remote attackers to upload malicious files through the /api/v1/{object_type}/{id}/files endpoint due to incorrect permission validation using “view” access instead of write permissions. This flaw may lead to arbitrary code execution and full compromise of the affected application server. CVE-2026-44832 with a CVSS score of 7.1 - A privilege escalation vulnerability in Snipe-IT allows authenticated users with users.edit permission to elevate their privileges to administrator level via crafted PATCH requests to the user management API. The issue exists because the application improperly validates permission assignments and fails to restrict sensitive permission keys.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update snipe/snipe-it to version 8.4.1 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-xg82-2hrv-hf64
https://github.com/advisories/GHSA-hq28-crg7-95pr