high
CVE
CVE-2026-44831, CVE-2026-44832, CVE-2026-44833
CWE
CWE-281, CWE-863, CWE-79, CWE-601
Affected Surface
Snipe-IT before 8.4.1, Snipe-IT 8.4.0, Snipe-IT /api/v1/users/{id} permission update path, Snipe-IT component checkout notes, Snipe-IT redirect_option=back flows
Snipe-IT 8.4.1 fixes three security issues that were published into NVD on 26 May. The most important is CVE-2026-44832, a high-severity authorization bug in the user API. The same release also fixes CVE-2026-44831, a stored XSS in component checkout notes, and CVE-2026-44833, an open redirect in “back” redirect handling.
Snipe-IT is often deployed as an internal asset and license inventory system, which makes its permission model security-sensitive. A compromised low-privilege inventory account may have visibility into devices, assignments, users, serial numbers, and procurement metadata; an admin escalation turns that into control of the asset system itself.
CVE-2026-44832: users.edit to admin
The vulnerable API path allowed an authenticated user with only users.edit to send a user update that assigned admin permissions:
PATCH /api/v1/users/{id}
Content-Type: application/x-www-form-urlencoded
permissions[admin]=1The advisory states that the API controller stripped the superuser key but allowed admin and other permission keys through. The practical bug class is mass assignment across a permissions boundary: the endpoint treated a permission-bearing field as ordinary user-edit data.
The fix preserves the previous admin state and prevents non-admin, non-superuser callers from changing it:
$orig_admin = '0';
if (is_array($orig_permissions_array)) {
if (array_key_exists('admin', $orig_permissions_array)) {
$orig_admin = $orig_permissions_array['admin'];
}
}
if ((! auth()->user()->isSuperUser()) && (! auth()->user()->isAdmin())) {
unset($permissions_array['admin']);
$permissions_array['admin'] = $orig_admin;
}That is the right shape of fix: privileged fields should be derived from the current authorization context, not trusted from request input.
CVE-2026-44831: component checkout notes XSS
The XSS bug was narrower but still relevant for inventory workflows. Users with component view access could be impacted by an unescaped note field in component checkout data. The patch is a one-line output-encoding fix in ComponentsTransformer.php:
- 'note' => $asset->pivot->note,
+ 'note' => e($asset->pivot->note),The important lesson is where the escaping happened. Data stored on a pivot record is still attacker-controlled if a user can write or influence checkout notes. API transformers and table serializers need the same HTML-output discipline as blade templates when their output is rendered by the browser.
CVE-2026-44833: untrusted back redirect
The open redirect used the redirect_option=back flow. The advisory describes a sequence where the application pulled back_url from session and redirected to it:
redirect_option=back
session back_url=https://evil.example/phishing?target=snipeit
redirect()->to($backUrl)The patch moves the stored value to Laravel’s intended URL flow and redirects with intended():
-$backUrl = Session::pull('back_url', route('home'));
+$backUrl = session()->pull('url.intended', 'home');
-return redirect()->to($backUrl);
+return redirect()->intended($backUrl);The advisory notes that practical exploitation requires session poisoning, so this should not be prioritized above the admin escalation. It is still worth patching quickly because open redirects turn trusted internal domains into phishing infrastructure, especially for self-hosted business applications.
Affected versions
All three advisories list affected Snipe-IT versions before 8.4.1, with 8.4.0 specifically called out in the advisory titles. The fixed release is 8.4.1.
Remediation
Upgrade Snipe-IT to 8.4.1 or later.
After upgrading, review:
- Users whose permissions changed unexpectedly, especially accounts that gained
admin. - API logs for
PATCHorPUTrequests to/api/v1/users/{id}containingpermissions[admin]or other permission keys. - Component checkout notes containing HTML or script-like payloads.
- Suspicious redirects from Snipe-IT pages to external domains.
If a non-admin account gained admin before patching, treat the Snipe-IT instance as compromised: remove unauthorized permissions, rotate API tokens, review audit logs, and verify whether asset inventory data was exported or modified.