CVE-2025-15602
Received Received - Intake
Mass Assignment Vulnerability in Snipe-IT Allows Admin Takeover

Publication date: 2026-03-06

Last updated on: 2026-04-17

Assigner: VulnCheck

Description
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15602
EUVD
EUVD-2025-208340
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
snipeitapp snipe-it to 8.3.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-15602 is a mass assignment vulnerability in Snipe-IT versions prior to 8.3.7. It occurs because sensitive user attributes related to account privileges are not sufficiently protected. This allows an authenticated user with low privileges to craft a malicious API request that modifies restricted fields of another user's account, including the Super Admin account."}, {'type': 'paragraph', 'content': "By changing the Super Admin's email address and triggering a password reset, an attacker can take full control of the Super Admin account, gaining complete administrative access to the Snipe-IT instance."}] [2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to a complete takeover of the Snipe-IT instance by an attacker. Specifically, an attacker with low privileges can escalate their access by modifying the Super Admin account's email address and resetting its password."}, {'type': 'paragraph', 'content': 'As a result, the attacker gains full administrative control, which can lead to unauthorized access to sensitive data, modification or deletion of assets, and disruption of asset management operations.'}] [2]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Snipe-IT to version 8.3.7 or later, as this version contains fixes addressing the mass assignment issue that allows privilege escalation.

Additionally, review and restrict API access permissions to ensure that low-privileged users cannot modify sensitive user attributes, especially those related to the Super Admin account.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15602. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart