Home
Description
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.
References
github.com/...ity-Advisories/blob/main/CVE-2026-38533/poc.md
github.com/...O/Security-Advisories/tree/main/CVE-2026-38533