{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/grokability/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-37709"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["snipe-it (\u003c 8.4.1)"],"_cs_severities":["critical"],"_cs_tags":["remote code execution","file upload","insecure permissions","asset management","CVE-2026-37709"],"_cs_type":"advisory","_cs_vendors":["grokability"],"content_html":"\u003cp\u003eSnipe-IT, a web-based IT asset management system, is vulnerable to a critical file upload vulnerability (CVE-2026-37709) affecting versions up to 8.4.0. This vulnerability stems from insufficient permission checks in the \u003ccode\u003eapp/Http/Controllers/Api/UploadedFilesController.php\u003c/code\u003e component. Specifically, the API endpoint \u003ccode\u003e/api/v1/{object_type}/{id}/files\u003c/code\u003e allows users with \u0026ldquo;view\u0026rdquo; permissions, rather than the necessary \u0026ldquo;write\u0026rdquo; permissions, to upload files. Successful exploitation of this vulnerability can lead to arbitrary code execution on the server. The vulnerability was patched after the 2026-03-10 commit 676a9958 and released in version 8.4.1. This poses a significant risk to organizations using vulnerable Snipe-IT instances, potentially allowing attackers to compromise the entire system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Snipe-IT instance running a version prior to 8.4.1.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Snipe-IT instance with user credentials that have \u0026ldquo;view\u0026rdquo; permissions for assets, consumables, or other managed objects.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/v1/{object_type}/{id}/files\u003c/code\u003e endpoint, replacing \u003ccode\u003e{object_type}\u003c/code\u003e and \u003ccode\u003e{id}\u003c/code\u003e with valid values for an existing asset or consumable.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a file containing malicious code, such as a PHP webshell, disguised as a seemingly harmless file type (e.g., image).\u003c/li\u003e\n\u003cli\u003eThe Snipe-IT application, due to insufficient permission checks, accepts the file upload and stores it on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker determines the full path to the uploaded file on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a new HTTP request to execute the uploaded file, triggering the malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the Snipe-IT server, potentially gaining full control of the system and sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-37709 can lead to complete compromise of the Snipe-IT server. An attacker can gain unauthorized access to sensitive asset information, modify inventory data, and potentially pivot to other systems within the network. Given the critical nature of asset management systems, this vulnerability poses a severe risk to organizations of all sizes and across various sectors. The attacker could potentially steal intellectual property, disrupt operations, or launch further attacks from the compromised server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Snipe-IT installations to version 8.4.1 or later to remediate CVE-2026-37709, as this version contains the necessary permission checks in the \u003ccode\u003eapp/Http/Controllers/Api/UploadedFilesController.php\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-37709 Exploitation — SnipeIT Malicious File Upload\u0026rdquo; to detect suspicious POST requests to the \u003ccode\u003e/api/v1/{object_type}/{id}/files\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP POST requests to the \u003ccode\u003e/api/v1/{object_type}/{id}/files\u003c/code\u003e endpoint with filenames that contain suspicious extensions or patterns to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T23:04:36Z","date_published":"2026-05-08T23:04:36Z","id":"/briefs/2024-01-snipeit-file-upload-rce/","summary":"Snipe-IT versions prior to 8.4.1 are vulnerable to remote code execution due to insecure permissions on file uploads, where an attacker can upload arbitrary files and execute code on the server.","title":"Snipe-IT File Upload Vulnerability Leads to Remote Code Execution (CVE-2026-37709)","url":"https://feed.craftedsignal.io/briefs/2024-01-snipeit-file-upload-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Snipe-IT (\u003c 8.4.1)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","web-application","api"],"_cs_type":"advisory","_cs_vendors":["Grokability"],"content_html":"\u003cp\u003eSnipe-IT, a web-based IT asset management system, is susceptible to a privilege escalation vulnerability affecting versions prior to 8.4.1. An authenticated user possessing the \u003ccode\u003eusers.edit\u003c/code\u003e permission can exploit this flaw to elevate their own privileges to that of an administrator. This is achieved by sending a specifically crafted PATCH request to the \u003ccode\u003e/api/v1/users/{id}\u003c/code\u003e endpoint, where the \u003ccode\u003epermissions[admin]\u003c/code\u003e parameter is set to \u0026lsquo;1\u0026rsquo;. The vulnerability, identified as CVE-2026-44832, arises due to insufficient validation on the server-side, allowing unauthorized modification of user permissions. The absence of proper input sanitization in the API controller enables users with limited privileges to assign administrative rights to themselves, undermining the system\u0026rsquo;s security model.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Snipe-IT application with a user account that has the \u003ccode\u003eusers.edit\u003c/code\u003e permission.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the target user ID, typically their own user ID, which can be obtained from the user profile page or API.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a PATCH request to \u003ccode\u003e/api/v1/users/{id}\u003c/code\u003e, replacing \u003ccode\u003e{id}\u003c/code\u003e with the target user\u0026rsquo;s ID.\u003c/li\u003e\n\u003cli\u003eWithin the PATCH request body, the attacker includes the parameter \u003ccode\u003epermissions[admin]=1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious PATCH request to the Snipe-IT server.\u003c/li\u003e\n\u003cli\u003eThe Snipe-IT server, due to insufficient validation, accepts the request and updates the target user\u0026rsquo;s permissions, granting them administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker logs out and logs back in to the Snipe-IT application.\u003c/li\u003e\n\u003cli\u003eUpon logging back in, the attacker now possesses administrative privileges, allowing them to perform any action within the Snipe-IT system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker with limited user privileges to gain full administrative control over the Snipe-IT system. This could lead to unauthorized access to sensitive data, modification or deletion of assets, creation of rogue administrator accounts, and complete compromise of the Snipe-IT installation. The vulnerability affects all Snipe-IT instances running versions prior to 8.4.1. The scope of the impact is limited to the Snipe-IT application itself.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Snipe-IT to version 8.4.1 or later to remediate CVE-2026-44832 as per the vendor\u0026rsquo;s advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Snipe-IT Privilege Escalation Attempt via API\u003c/code\u003e to monitor for suspicious PATCH requests to the \u003ccode\u003e/api/v1/users/{id}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eEnable web server access logging and review logs for unusual API requests targeting user permission modification.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all API endpoints, particularly those that handle user permissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:00Z","date_published":"2024-01-03T18:22:00Z","id":"/briefs/2024-01-03-snipeit-privesc/","summary":"An authenticated user with limited 'users.edit' permissions can escalate their privileges to 'admin' in Snipe-IT versions before 8.4.1 by manipulating the permissions array in a PATCH request to the API, as tracked by CVE-2026-44832.","title":"Snipe-IT Privilege Escalation via API Permissions Assignment (CVE-2026-44832)","url":"https://feed.craftedsignal.io/briefs/2024-01-03-snipeit-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Grokability","version":"https://jsonfeed.org/version/1.1"}