Snipe-IT unauth RCE via file upload (CVE-2026-37709)
CVE-2026-37709
CVE-2026-37709: Snipe-IT 8.4.0 and below insecure permissions grant unauthenticated RCE via file upload (CVSS 9.8). Update to commit 676a9958 or later.
Patch now - CVE-2026-37709 is a critical insecure-permissions vulnerability in Snipe-IT v.8.4.0 and earlier that grants unauthenticated remote code execution via the file upload API. Patched in the March 10, 2026 commit 676a9958 - update immediately.
Overview
CVE-2026-37709 affects the app/Http/Controllers/Api/UploadedFilesController.php component in the Snipe-IT asset management application. The insecure permissions allow any remote attacker on the network to upload and execute arbitrary files on the server without authentication, exploiting low-complexity conditions with no user interaction required.
Impact
A successful exploit gains the attacker full remote code execution (RCE) on the server hosting Snipe-IT. The CVSS 9.8 critical rating reflects the network-based attack vector, no privileges needed, and the complete compromise of confidentiality, integrity, and availability (CIA triad). Since Snipe-IT often runs on internal networks, a compromised server can serve as a pivot point for lateral movement to other systems.
Remediation and Mitigation
Patch: Upgrade to the patched version by pulling the latest commit (676a9958 post-March 10, 2026). If using Docker, rebuild with: docker pull snipe/snipe-it:latest and restart containers. For source installations, run git pull from the application root directory and verify git log shows the fix commit.
Mitigation (if immediate patching is not possible): Restrict network access to the /api/v1/uploaded-files endpoint via web application firewall (WAF) rules or network ACLs until the patch is applied. Remove write permissions from the uploads directory for the web server user.
Security Insight
This vulnerability continues a troubling pattern in PHP-based asset management tools: overly permissive file upload handlers that skip authentication checks. Snipe-IT’s API architecture appears to have separated the upload controller from standard authorization middleware, a common oversight when adding feature endpoints to legacy codebases. Organizations running such tools should review all API routes for missing middleware, particularly file upload and configuration endpoints. For more details, see our data breach reports and security news for related advisories.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network....
Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network....
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment ...
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allow...