Skip to main content

Snipe-IT CVE-2026-48493

MEDIUM
Incorrect Authorization (CWE-863)
2026-06-23 https://github.com/grokability/snipe-it GHSA-52fw-7fw2-fmv5
5.5
CVSS 3.1 · Vendor: https://github.com/grokability/snipe-it
Share

Severity by source

Vendor (https://github.com/grokability/snipe-it) PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
7.1 HIGH

Exploitation requires two non-admin delegated permissions (users.edit + api), fitting PR:L rather than PR:H; no confidentiality or availability impact beyond newly self-assigned readable permissions.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/grokability/snipe-it).

CVSS VectorVendor: https://github.com/grokability/snipe-it

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 22:48 vuln.today
Analysis Generated
Jun 23, 2026 - 22:48 vuln.today

DescriptionCVE.org

Impact

A user with only users.edit AND api permissions can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser - for example assets.view, assets.create, reports.view, import, etc.

Patches

Patched in https://github.com/grokability/snipe-it/pull/19024

AnalysisAI

{their_own_id}. The PreserveUnauthorizedPrivilegedPermissionsAction class failed to distinguish self-modification from modification of other users, allowing the permission set of the authenticated caller's own account to be silently expanded. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Snipe-IT API with users.edit + api permissions
Delivery
Retrieve own user ID via authenticated API call
Exploit
Craft PATCH request to /api/v1/users/{own_id} with elevated permissions payload
Execution
Missing self-modification guard in PreserveUnauthorizedPrivilegedPermissionsAction accepts payload
Persist
Attacker account receives expanded permissions (assets.create, reports.view, etc.)
Impact
Access asset management and reporting functions beyond original authorization

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Snipe-IT account that has BOTH the `users.edit` permission AND the `api` permission assigned simultaneously - this is not the default configuration for standard or read-only user accounts and must be explicitly granted by an administrator. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 5.5 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N) uses PR:H, which in standard CVSS taxonomy denotes administrative control. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Snipe-IT helpdesk operator whose account has been granted `users.edit` and `api` permissions authenticates to the API, retrieves their own user ID, and sends a PATCH request to `/api/v1/users/{their_own_id}` with a JSON payload that adds `assets.create`, `assets.view`, and `reports.view` to their permissions array. The server accepts the request and updates their account without triggering any administrative alert, after which the operator can create and view asset records and run reports far beyond their originally assigned role. …
Remediation Upgrade Snipe-IT to version 8.6.0 or later; this is the only fully remediated state confirmed by the vendor advisory at https://github.com/grokability/snipe-it/security/advisories/GHSA-52fw-7fw2-fmv5 and the merged PR at https://github.com/grokability/snipe-it/pull/19024. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy