Description
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`, `reports.view`, import, etc. The issue is patched in version 8.6.0.
Published: 2026-06-23
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Snipe-IT, a widely used IT asset and license management system, contains a flaw that allows any user possessing only the users.edit permission to elevate their own privileges through the API. By sending a PATCH request to /api/v1/users/{their_own_id}, the user can grant themselves any permission except the privileged admin or superuser roles, including access to asset viewing and creation, report generation, and import functionality. This escalation enables the user to perform actions that are normally restricted, potentially compromising confidentiality, integrity, and availability of asset data without becoming a full administrator.

Affected Systems

The vulnerability affects all installations of Snipe-IT running a version earlier than 8.6.0. It is provided by the vendor grokability under the product name Snipe-IT. No additional sub‑component or operating system versions are specified beyond the version threshold.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Attackers can exploit the flaw as any user who has the users.edit permission, which could be a legitimate user or a compromised account. The issue is an internal API interaction, so a network attacker would need to authenticate and possess the users.edit role; the attack does not provide root or admin privileges but grants significant permissions that can be used to undermine system security.

Generated by OpenCVE AI on June 24, 2026 at 02:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Snipe-IT to version 8.6.0 or later.
  • Restrict the users.edit permission to trusted accounts or remove it from accounts that do not require the ability to edit user permissions.
  • Enable detailed auditing of permission changes and monitor for anomalous activity that may indicate privilege escalation attempts.

Generated by OpenCVE AI on June 24, 2026 at 02:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-52fw-7fw2-fmv5 Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
History

Wed, 24 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Grokability
Grokability snipe-it
Vendors & Products Grokability
Grokability snipe-it

Tue, 23 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`, `reports.view`, import, etc. The issue is patched in version 8.6.0.
Title Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Grokability Snipe-it
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T22:11:06.847Z

Reserved: 2026-05-21T15:33:08.292Z

Link: CVE-2026-48493

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T02:45:05Z

Weaknesses