Description
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.
Published: 2026-06-08
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Snipe-IT versions before 8.6.0 lets a non-administrator who has the users.edit permission modify the activated and ldap_import flags for all users in bulk. By setting activated to false for every account, the attacker can prevent all administrators from logging in, effectively halting the asset management system. This privilege escalation, which falls under CWE-863, leads to loss of administrative control and availability of the system.

Affected Systems

Snipe-IT, an open-source IT asset and license management solution, is affected. All releases prior to 8.6.0 are vulnerable when a user with users.edit permission can perform bulk edits on the activated or ldap_import fields. The flaw applies to any deployment of these versions where non-admin accounts are granted users.edit access.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. EPSS is not published, so the exploitation likelihood cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated with the users.edit permission to exploit the flaw; the most likely attack vector is authenticated remote manipulation through the web interface. The attacker requires only that permission set on a non-admin account, which may be granted in many environments, making the vulnerability practically exploitable in typical setups.

Generated by OpenCVE AI on June 8, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Snipe-IT to version 8.6.0 or later.
  • Remove or restrict the users.edit permission for non-administrator accounts to prevent bulk editing of account flags.
  • Monitor audit logs for bulk edits of the activated or ldap_import fields and verify that no unauthorized changes occur.

Generated by OpenCVE AI on June 8, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6f75-x745-xcpr Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
History

Tue, 09 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Snipeitapp
Snipeitapp snipe-it
CPEs cpe:2.3:a:snipeitapp:snipe-it:*:*:*:*:*:*:*:*
Vendors & Products Snipeitapp
Snipeitapp snipe-it

Mon, 08 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Grokability
Grokability snipe-it
Vendors & Products Grokability
Grokability snipe-it

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.
Title Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Grokability Snipe-it
Snipeitapp Snipe-it
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-08T18:03:30.480Z

Reserved: 2026-05-21T16:18:10.618Z

Link: CVE-2026-48507

cve-icon Vulnrichment

Updated: 2026-06-08T18:03:21.704Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T17:16:52.390

Modified: 2026-06-09T16:41:26.540

Link: CVE-2026-48507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T20:45:32Z

Weaknesses