Snipe-IT CVE-2026-48493
MEDIUMSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
Exploitation requires two non-admin delegated permissions (users.edit + api), fitting PR:L rather than PR:H; no confidentiality or availability impact beyond newly self-assigned readable permissions.
Primary rating from Vendor (https://github.com/grokability/snipe-it).
CVSS VectorVendor: https://github.com/grokability/snipe-it
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
A user with only users.edit AND api permissions can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser - for example assets.view, assets.create, reports.view, import, etc.
Patches
Patched in https://github.com/grokability/snipe-it/pull/19024
Articles & Coverage 1
AnalysisAI
{their_own_id}. The PreserveUnauthorizedPrivilegedPermissionsAction class failed to distinguish self-modification from modification of other users, allowing the permission set of the authenticated caller's own account to be silently expanded. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Snipe-IT account that has BOTH the `users.edit` permission AND the `api` permission assigned simultaneously - this is not the default configuration for standard or read-only user accounts and must be explicitly granted by an administrator. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 5.5 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N) uses PR:H, which in standard CVSS taxonomy denotes administrative control. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A Snipe-IT helpdesk operator whose account has been granted `users.edit` and `api` permissions authenticates to the API, retrieves their own user ID, and sends a PATCH request to `/api/v1/users/{their_own_id}` with a JSON payload that adds `assets.create`, `assets.view`, and `reports.view` to their permissions array. The server accepts the request and updates their account without triggering any administrative alert, after which the operator can create and view asset records and run reports far beyond their originally assigned role. … |
| Remediation | Upgrade Snipe-IT to version 8.6.0 or later; this is the only fully remediated state confirmed by the vendor advisory at https://github.com/grokability/snipe-it/security/advisories/GHSA-52fw-7fw2-fmv5 and the merged PR at https://github.com/grokability/snipe-it/pull/19024. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-52fw-7fw2-fmv5