CVE Catalog

CVE-2026-48493

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

In Snipe-IT versions prior to 8.6.0, a user with users.edit permission can send a PATCH request to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser, e.g., assets.view, assets.create, reports.view, import. The issue is fixed in version 8.6.0.

Risk Assessment

The risk is privilege escalation by a regular user, potentially leading to unauthorized access to assets, creation of assets, viewing reports, or importing data, compromising system confidentiality and integrity.

Recommendation

Immediately upgrade Snipe-IT to version 8.6.0 or later. Until the update, restrict users.edit permissions to trusted users only.

Original NVD description (English source)

Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`, `reports.view`, import, etc. The issue is patched in version 8.6.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS