Vulnerability Details CVE-2026-38533
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 14.5%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2026-38533
-
cpe:2.3:a:snipeitapp:snipe-it:8.4.0