Snipe-IT CVE-2026-37709: Critical RCE via Insecure Permissions
The National Vulnerability Database (NVD) has disclosed CVE-2026-37709, a critical insecure permissions vulnerability affecting Snipe-IT versions 8.4.0 and earlier. This flaw, assigned a CVSS score of 9.8, enables remote attackers to execute arbitrary code without authentication through the app/Http/Controllers/Api/UploadedFilesController.php component.
This isn’t just a bug; it’s a direct path to full system compromise. The AV:N/AC:L/PR:N/UI:N vector indicates a network-exploitable vulnerability with low attack complexity, requiring no privileges and no user interaction. Attackers can leverage this to gain complete control over affected Snipe-IT instances, leading to data exfiltration, system defacement, or further lateral movement within an organization’s network.
The vulnerability was fixed after the 2026-03-10 commit 676a9958. Defenders must prioritize patching. Leaving a critical vulnerability like this unaddressed is an open invitation for attackers to establish a persistent foothold, especially given Snipe-IT’s role as an asset management system, often holding sensitive inventory data.
What This Means For You
- If your organization uses Snipe-IT, you need to immediately verify your version. Patch to a version released after commit `676a9958895a77de340565e7a0b17ae744664904` to mitigate CVE-2026-37709. Failure to do so leaves your asset management system, and potentially your entire network, exposed to remote code execution.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-37709: Snipe-IT RCE via UploadedFilesController
title: CVE-2026-37709: Snipe-IT RCE via UploadedFilesController
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
Detects exploitation attempts against Snipe-IT CVE-2026-37709. This rule specifically looks for POST requests to the /api/v1/asset/upload endpoint with a 'filename=' parameter in the query string, which is indicative of the insecure permissions vulnerability allowing RCE.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-37709/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v1/asset/upload'
cs-method|exact:
- 'POST'
sc-status|exact:
- '200'
selection_base:
cs-uri-query|contains:
- 'filename='
condition: selection AND selection_base
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-37709 | RCE | grokability snipe-it v.8.4.0 and before |
| CVE-2026-37709 | app/Http/Controllers/Api/UploadedFilesController.php | |
| CVE-2026-37709 | Patch | grokability snipe-it commit 676a9958 after 2026-03-10 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 07, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8086 — OSGeo Gdal Buffer Overflow
CVE-2026-8086 — A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This issue affects the function SWnentries of the file frmts/hdf4/hdf-eos/SWapi.c. Such manipulation of...
CVE-2026-8083: SQL Injection in SourceCodester Pharmacy System
CVE-2026-8083 — A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation...
CVE-2026-44742: Postorius HTML Injection Exploited In The Wild
CVE-2026-44742 — Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the...