Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a995 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component
Impact
Users who can view assets, consumables, etc were able to send a POST request to /api/v1/{object_type}/{id}/files. The API authorized with "view" instead of write permission and persists the file and audit log entry.
Patches
Fixed after 2026-03-10 commit 676a995, fix released to 8.4.1.
Workarounds
None
0xAspros Reporter
Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a995 allows a remote attacker to execute arbitrary code via the
app/Http/Controllers/Api/UploadedFilesController.phpcomponentImpact
Users who can view assets, consumables, etc were able to send a POST request to
/api/v1/{object_type}/{id}/files. The API authorized with "view" instead of write permission and persists the file and audit log entry.Patches
Fixed after 2026-03-10 commit 676a995, fix released to 8.4.1.
Workarounds
None