GHSA-MGHP-5CQ4-V6MG

Vulnerability from github – Published: 2026-05-08 23:25 – Updated: 2026-05-08 23:25
VLAI
Summary
Snipe-IT has an open redirect vulnerability
Details

Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable.

Impact

  • Phishing: Redirect users to fake login pages to steal credentials
  • Session Hijacking: Redirect to attacker site that captures session cookies via JavaScript
  • Malware Distribution: Redirect to sites hosting malware or drive-by downloads
  • Reputation Damage: Users lose trust when redirected to malicious sites from legitimate application
  • Social Engineering: Use trusted Snipe-IT domain to increase phishing success rate

When the user clicks "Save", the application: 1. Processes the form 2. Checks redirect_option (if set to 'back') 3. Calls Helper::getRedirectOption() 4. Retrieves back_url from session: https://evil.com/phishing?target=snipeit 5. Executes redirect()->to($backUrl) 6. User is redirected to attacker's site

This would still require session poisoning, so the actual practical threat here is minimal.

Patches

Patched in https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373, released in 8.4.1.

Workarounds

None.

Resources

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
  • OWASP: Unvalidated Redirects and Forwards
  • Laravel Security: Safe Redirects

snipeit_open_redirect_submission.md

Severity
5.9 (Medium)
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "snipe/snipe-it"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T23:25:37Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable.\n\n### Impact\n\n-   **Phishing**: Redirect users to fake login pages to steal credentials\n-   **Session Hijacking**: Redirect to attacker site that captures session cookies via JavaScript\n-   **Malware Distribution**: Redirect to sites hosting malware or drive-by downloads\n-   **Reputation Damage**: Users lose trust when redirected to malicious sites from legitimate application\n-   **Social Engineering**: Use trusted Snipe-IT domain to increase phishing success rate\n\nWhen the user clicks \"Save\", the application: \n1. Processes the form \n2. Checks `redirect_option` (if set to \u0027back\u0027) \n3. Calls `Helper::getRedirectOption()` \n4. Retrieves `back_url` from session: `https://evil.com/phishing?target=snipeit` \n5. Executes `redirect()-\u003eto($backUrl)` \n6. User is redirected to attacker\u0027s site\n\nThis would still require session poisoning, so the actual practical threat here is minimal. \n\n### Patches\nPatched in https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373, released in 8.4.1.\n\n### Workarounds\n None.\n\n### Resources\n-   CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\n-   OWASP: Unvalidated Redirects and Forwards\n-   Laravel Security: Safe Redirects\n\n[snipeit_open_redirect_submission.md](https://github.com/user-attachments/files/27414869/snipeit_open_redirect_submission.md)",
  "id": "GHSA-mghp-5cq4-v6mg",
  "modified": "2026-05-08T23:25:37Z",
  "published": "2026-05-08T23:25:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grokability/snipe-it/security/advisories/GHSA-mghp-5cq4-v6mg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grokability/snipe-it"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Snipe-IT has an open redirect vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.