CVE-2026-44833
Snipe-IT has an open redirect vulnerability
Description
Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. ### Impact - **Phishing**: Redirect users to fake login pages to steal credentials - **Session Hijacking**: Redirect to attacker site that captures session cookies via JavaScript - **Malware Distribution**: Redirect to sites hosting malware or drive-by downloads - **Reputation Damage**: Users lose trust when redirected to malicious sites from legitimate application - **Social Engineering**: Use trusted Snipe-IT domain to increase phishing success rate When the user clicks "Save", the application: 1. Processes the form 2. Checks `redirect_option` (if set to 'back') 3. Calls `Helper::getRedirectOption()` 4. Retrieves `back_url` from session: `https://evil.com/phishing?target=snipeit` 5. Executes `redirect()->to($backUrl)` 6. User is redirected to attacker's site This would still require session poisoning, so the actual practical threat here is minimal. ### Patches Patched in https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373, released in 8.4.1. ### Workarounds None. ### Resources - CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - OWASP: Unvalidated Redirects and Forwards - Laravel Security: Safe Redirects [snipeit_open_redirect_submission.md](https://github.com/user-attachments/files/27414869/snipeit_open_redirect_submission.md)
How to fix CVE-2026-44833
To remediate CVE-2026-44833, upgrade the affected package to a fixed version below.
- —upgrade to 8.4.1 or later
Is CVE-2026-44833 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 8.4.1