CVE-2026-38533

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

14/04/2026

Last modified:

14/04/2026

Description

An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.

Impact

References to Advisories, Solutions, and Tools

https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38533
https://snipeitapp.com/