Description
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`, `reports.view`, import, etc. The issue is patched in version 8.6.0.
Published: 2026-06-23
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Snipe-IT, a widely used IT asset and license management system, contains a flaw that allows a user with only the users.edit permission to elevate their own privileges through the API. This is a CWE‑863 flaw, representing an Authorization Bypass Through Privileged Access Control. By sending a PATCH request to /api/v1/users/{their_own_id}, the user can grant themselves any permission except the privileged admin or superuser roles, including access to asset viewing and creation, report generation, and import functionality. This escalation enables the user to perform actions that are normally restricted, potentially compromising confidentiality, integrity, and availability of asset data without becoming a full administrator.

Affected Systems

The vulnerability affects all installations of Snipe-IT running a version earlier than 8.6.0. It is provided by the vendor grokability under the product name Snipe-IT. No additional sub‑component or operating system versions are specified beyond the version threshold.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Attackers can exploit the flaw as any user who has the users.edit permission, which could be a legitimate user or a compromised account. The issue is an internal API interaction, so a network attacker would need to authenticate and possess the users.edit role; the attack does not provide root or admin privileges but grants significant permissions that can be used to undermine system security.

Generated by OpenCVE AI on June 24, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Snipe-IT to version 8.6.0 or later for trusted accounts or remove the capability from accounts that do not require the ability to edit user permissions.
  • Enable detailed auditing of permission changes and monitor privilege escalation attempts.
  • Restrict the users.edit permission to administrative users only until the patch is applied.

Generated by OpenCVE AI on June 24, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-52fw-7fw2-fmv5 Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Grokability
Grokability snipe-it
Vendors & Products Grokability
Grokability snipe-it

Tue, 23 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`, `reports.view`, import, etc. The issue is patched in version 8.6.0.
Title Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N'}


Subscriptions

Grokability Snipe-it
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T13:01:19.174Z

Reserved: 2026-05-21T15:33:08.292Z

Link: CVE-2026-48493

cve-icon Vulnrichment

Updated: 2026-06-25T13:01:12.925Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses