Intelligence
criticalVulnerabilityActive

Snipe-IT API Authorization Bypass Enables Unauthenticated File Upload & Code Execution

Snipe-IT versions ≤8.4.0 suffer from an authorization bypass in the file upload API endpoint that allows authenticated users with only 'view' permissions to upload arbitrary files, leading to remote code execution. Defenders must immediately patch or restrict API access.

S
Sebastion

CVE References

CVE-2026-37709

Affected

grokability/snipe-it (≤8.4.0)

Vulnerability Description

Snipe-IT contains an insecure permission check in the UploadedFilesController.php API handler. The /api/v1/{object_type}/{id}/files endpoint performs authorization validation using a 'view' permission level instead of the required 'write' permission. This permits any authenticated user with read-only access to assets, consumables, or other inventory items to upload files to those objects. The uploaded files are persisted to the filesystem and corresponding audit log entries are created, creating an attack surface for arbitrary file placement and potential code execution depending on deployment configuration and file handling.

Proof-of-Concept Significance

This vulnerability demonstrates a privilege escalation and authorization bypass chain. The PoC proves that the permission model is incorrectly enforced at the API layer; attackers need only valid authentication credentials with minimal privileges. The reliability is high—the issue is a straightforward logic error in the authorization check rather than a race condition or edge case. Preconditions are minimal: an attacker requires any authenticated account (even read-only roles) and network access to the API endpoint.

Detection Guidance

Log Indicators:

  • POST requests to /api/v1/*/*/files (wildcard matching object types and IDs) from low-privilege accounts
  • Audit log entries showing file uploads associated with 'view'-only API tokens or session identities
  • File upload operations in storage/uploads/ or similar directories with timestamps correlating to suspicious API activity
  • HTTP 200/201 responses to file upload POST requests from unexpected sources

Network Signatures:

  • Regex: POST /api/v1/[a-z_]+/\d+/files with multipart form-data payloads
  • Correlation: API calls with Authorization headers paired with minimal permission tokens

Mitigation Steps

  1. Immediate: Upgrade Snipe-IT to version 8.4.1 or later (commit 676a9958 or newer, dated post-2026-03-10)
  2. Network-level: Restrict /api/v1/*/files POST endpoints to users/roles explicitly granted 'write' permissions; implement WAF rules to block suspicious file uploads
  3. Access Control: Audit existing file permissions; remove any files uploaded by low-privilege accounts that should not have upload rights
  4. Monitoring: Enable verbose API and file upload logging; configure alerts for POST operations to the affected endpoint
  5. Configuration: If patching is delayed, disable the API entirely or enforce additional authentication via reverse proxy

Risk Assessment

Likelihood of Exploitation: High. The vulnerability requires only basic API knowledge and valid credentials; no zero-day exploit is needed. Organizations running Snipe-IT inventory management—often exposed in enterprise networks—are attractive targets. Threat actors routinely target permission enforcement flaws in APIs and file upload handlers. Threat Actor Interest: Active exploitation is probable in the wild, particularly by insiders with low-privilege accounts or by external actors who have compromised minimal-access credentials. The RCE potential (via uploaded executable files) makes this critical for IT/OT environments. Exposure Window: Versions through 8.4.0 have been vulnerable; organizations delaying patch deployment remain at extreme risk.

Sources

pocauthorization-bypassfile-uploadrceapi-securitysnipe-itcve-2026-37709
Back to intelligence