PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44833 grokability CVE debrief

An open redirect vulnerability in Snipe-IT IT asset/license management system allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. The vulnerability exists in versions prior to 8.4.1 and was fixed in version 8.4.1. The CVSS 3.1 vector indicates attack vector is adjacent network, low attack complexity, low privileges required, user interaction required, with changed scope and low impacts to confidentiality, integrity, and availability. The weakness is categorized as CWE-601: URL Redirection to Untrusted Site ('Open Redirect').

Vendor
grokability
Product
snipe-it
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

Organizations running Snipe-IT for IT asset and license management, particularly those with external-facing deployments or multi-tenant environments where adjacent network attackers may be present. Security teams responsible for application security and session management controls should prioritize patching.

Technical summary

The vulnerability stems from insufficient validation of the HTTP Referer header value, which is stored in a session variable and used to determine redirect destinations. An attacker with adjacent network access and low privileges can manipulate this header to redirect authenticated users to attacker-controlled sites, potentially facilitating phishing attacks or credential theft. The changed scope in the CVSS vector indicates the vulnerable component impacts resources beyond its security scope.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Snipe-IT to version 8.4.1 or later to remediate the open redirect vulnerability.
  • Review and validate any HTTP Referer header handling in custom Snipe-IT deployments.
  • Monitor authentication flows for unexpected redirects to external domains.
  • Implement additional redirect validation at the web application firewall or reverse proxy layer as defense in depth.

Evidence notes

CVE published and modified 2026-05-26. Vendor advisory and patch commit published by GitHub Security Advisories. CPE criteria confirms affected versions are all versions prior to 8.4.1.

Official resources

2026-05-26