CVE-2026-48493
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
In Snipe-IT versions prior to 8.6.0, a user with users.edit permission can send a PATCH request to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser, e.g., assets.view, assets.create, reports.view, import. The issue is fixed in version 8.6.0.
Risk Assessment
The risk is privilege escalation by a regular user, potentially leading to unauthorized access to assets, creation of assets, viewing reports, or importing data, compromising system confidentiality and integrity.
Recommendation
Immediately upgrade Snipe-IT to version 8.6.0 or later. Until the update, restrict users.edit permissions to trusted users only.
Original NVD description (English source)
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`, `reports.view`, import, etc. The issue is patched in version 8.6.0.

