An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.
References
| Link | Resource |
|---|---|
| https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38533 | Exploit Mitigation Third Party Advisory |
| https://snipeitapp.com/ | Product |
| https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2026-38533/poc.md | Exploit Third Party Advisory |
Configurations
History
17 Jun 2026, 10:41
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38533 - Exploit, Mitigation, Third Party Advisory |
01 May 2026, 15:23
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Snipeitapp snipe-it
Snipeitapp |
|
| CPE | cpe:2.3:a:snipeitapp:snipe-it:8.4.0:*:*:*:*:*:*:* | |
| References | () https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38533 - Exploit, Third Party Advisory, Mitigation | |
| References | () https://snipeitapp.com/ - Product | |
| References | () https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2026-38533/poc.md - Exploit, Third Party Advisory |
16 Apr 2026, 13:16
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| CWE | CWE-285 |
14 Apr 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-14 16:16
Updated : 2026-06-17 10:41
NVD link : CVE-2026-38533
Mitre link : CVE-2026-38533
CVE.ORG link : CVE-2026-38533
JSON object : View
Products Affected
snipeitapp
- snipe-it
CWE
CWE-285
Improper Authorization
