Snipe-IT CVE-2026-55483
MEDIUMSeverity by source
Network-accessible endpoint with low complexity; PR:L because `users.create` is a specific but commonly delegated role; S:C because the attacker escalates beyond their authorization boundary to full admin control of the system.
Lifecycle Timeline
2DescriptionCVE.org
Impact
The store() method in both the web and API UsersController only strips the superuser permission when a non-superuser creates a user. It does not strip the admin permission. This allows any authenticated user with the users.create permission to create a new user with full admin privileges.
The users.create permission may commonly be delegated to HR staff, department leads, or similar roles.
Patches
Patched in aea3877718
AnalysisAI
Privilege escalation in Snipe-IT's user creation endpoint allows any authenticated holder of the users.create permission to provision new accounts with full admin privileges. The store() method in both the web UI and API UsersController correctly strips the superuser flag from user-creation payloads submitted by non-superusers, but applies no equivalent check to the admin permission, creating a direct path from delegated HR or department-lead roles to full administrative control over the Snipe-IT instance. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Snipe-IT session with the `users.create` permission explicitly granted. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No vendor or NVD CVSS vector was provided; the independently assessed vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) rates this as Critical. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An HR coordinator holding the delegated `users.create` permission - or an attacker who has compromised such an account - submits a standard user-creation POST request to the Snipe-IT web or API endpoint with the admin permission flag included in the payload. Because the `store()` method only strips the superuser flag, the admin bit passes through unchanged, and the new account is created with full administrative access. … |
| Remediation | Upgrade Snipe-IT to version 8.6.0 or later; this is the vendor-confirmed fix version containing commit aea3877718 (https://github.com/grokability/snipe-it/commit/aea3877718158cc2a10c2dde4597b1f439f5f6cb). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hf68-g98v-wp9g