← back
CVE-2026-38533

CVE-2026-38533

CVSS 6.5 MEDIUMEPSS 0.3%CWE-285
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected products
n/a · n/a
public PoCs found1
cve_referencegithub.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2026-38533/poc.mdunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2026-38533/poc.mdhttps://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38533https://snipeitapp.com/