Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Network-reachable authenticated low-priv user (PR:L, AV:N, AC:L); impact is a reversible soft-delete of one non-admin user, so integrity and availability are Low, confidentiality None.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to /users/bulksave with delete_user=1 because BulkUsersController::destroy() authorizes only update, allowing the user to soft-delete another non-admin user. This issue is fixed in version 8.6.2.
AnalysisAI
Broken authorization in Snipe-IT before 8.6.2 lets an authenticated non-admin user who holds users.view and users.edit - but explicitly not users.delete - soft-delete other non-admin user accounts by POSTing delete_user=1 to /users/bulksave. The root cause is that BulkUsersController::destroy() checks only the 'update' authorization, so the delete permission gate is never enforced. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Snipe-IT session for a user/role that has been assigned the users.view and users.edit permissions but not users.delete - this specific permission combination is the prerequisite, and it reflects a common least-privilege help-desk/user-manager role. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L, score 7.1) correctly captures a network-reachable, low-complexity attack requiring low privileges and no user interaction, with no confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An insider or a compromised low-privilege help-desk account that has been granted users.view and users.edit (but not users.delete) sends a crafted authenticated POST to /users/bulksave containing delete_user=1 and a target user ID. Because the endpoint only checks update rights, the target non-admin account is soft-deleted, disrupting that user's access without the attacker ever holding delete permission. … |
| Remediation | Vendor-released patch: upgrade to Snipe-IT 8.6.2, which corrects BulkUsersController::destroy() to require proper delete authorization (fix commit 374f426f0c6bb7a4f129f7b85051cc1da753a0f5, release https://github.com/grokability/snipe-it/releases/tag/v8.6.2, advisory https://github.com/grokability/snipe-it/security/advisories/GHSA-vgx7-c78r-69w9). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all user role assignments in Snipe-IT to identify users holding users.view and users.edit permissions; review audit logs for suspicious bulk user operations via /users/bulksave endpoint. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3. Rated high severity (CVSS 8.8),
In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. Rated high severity (CVSS 8.8), this
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot
Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. Rated high severity (CVSS 8.0), this vulnerability
Old sessions are not blocked by the login enable function. Rated high severity (CVSS 7.4), this vulnerability is remotel
snipe-it is vulnerable to Server-Side Request Forgery (SSRF). Rated high severity (CVSS 7.2), this vulnerability is remo
Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the AP
Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4. Rated medium severity (CVSS 6.5), this vulnera
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me
Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42991