Which versions of Snipe It are affected by CVE-2025-15602?

Snipe-IT versions before 8.3.7 allow authenticated users with low privileges to hijack administrative accounts through API manipulation, potentially granting them complete system control.. A patch is available.

How to fix or mitigate CVE-2025-15602?

Within 24 hours: Audit API access logs for suspicious mass assignment requests and review recent changes to administrator accounts, particularly email modifications. Within 7 days: Implement network-level API request filtering to block user modification endpoints for low-privileged accounts, and disable Snipe-IT API access for non-essential users. Within 30 days: Upgrade to Snipe-IT 8.3.7 or later when available; if unavailable, migrate critical data to a patched alternative or conduct a comprehensive security assessment to validate no compromise has occurred.

Snipe It CVE-2025-15602

Q: What is the CVSS score of CVE-2025-15602?

CVE-2025-15602 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

HIGH

Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)

2026-03-06 disclosure@vulncheck.com

GHSA-5448-v74m-7mv7

Information Disclosure Snipe It

8.7

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 17, 2026 - 21:37 vuln.today

cvss_changed

CVSS changed

Apr 17, 2026 - 21:37 NVD

8.8 (HIGH) 8.7 (HIGH)

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 06, 2026 - 17:16 nvd

HIGH 8.8

DescriptionCVE.org

Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance.

AnalysisAI

Technical ContextAI

This vulnerability (CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes) affects Snipe-IT. Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2025-15602 vulnerability details – vuln.today

Back