CVE-2026-38533

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Apr 14, 2026

Vendor unknown

Description

An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.

References

https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38533
https://snipeitapp.com/