php · snipe/snipe-itHeads-up

Snipe-IT Privilege Escalation via PATCH /api/v1/users/{id}

A privilege escalation vulnerability allows users with only users.

24 Jun 2026Read 1 minSeverity: schedule it

What changed

A privilege escalation vulnerability allows users with only users.edit and api permissions to grant themselves additional permissions (except admin/superuser) via a PATCH request to /api/v1/users/{their_own_id}.

Who it affects

Snipe-IT instances where users have users.edit and api permissions.

What to do today

Apply the patch from pull request #19024 to prevent unauthorized permission escalation.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · snipe/snipe-it

Snipe-IT Privilege Escalation via PATCH /api/v1/users/{id}

What changed

Who it affects

What to do today

More on snipe/snipe-it

guzzlehttp/guzzle 7.12.2 released

guzzlehttp/guzzle 7.12.3 Released