CVE-2026-48507
Received Received - Intake
Snipe-IT Privilege Escalation via User Flag Manipulation

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-48507
EUVD
EUVD-2026-35140
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
grokability snipe-it to 8.5.0 (exc)
grokability snipe-it 8.6.0
snipe-it snipe-it to 8.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48507 is a vulnerability in the Snipe-IT IT asset/license management system affecting versions prior to 8.6.0.

It allows a non-admin user who has only the granular users.edit permission to lock every administrator out of the system.

This is done by editing two critical flags: the 'activated' flag, which controls whether a user can log in, and the 'ldap_import' flag, which controls whether a user can request a password reset.

By manipulating these flags, the attacker can deactivate admin accounts and prevent them from resetting passwords, effectively locking them out.

The vulnerability can be exploited remotely with low attack complexity and requires no user interaction.

The issue was patched in version 8.6.0 by restricting the ability to modify these flags to only authorized users.

Impact Analysis

This vulnerability can have a significant impact on system availability and administration.

An attacker with limited permissions (users.edit) can lock all administrators out of the Snipe-IT instance by deactivating their accounts and disabling their password reset capabilities.

This means that legitimate administrators would be unable to log in or recover their accounts, potentially causing a denial of service for managing IT assets and licenses.

While confidentiality is not directly affected, the integrity of user management is compromised, and the availability of the system is severely impacted.

Detection Guidance

Detection of this vulnerability involves checking if non-admin users with the users.edit permission have been able to modify the 'activated' or 'ldap_import' flags of admin users, which should not be allowed.

You can audit user records to see if any admin accounts have been deactivated or had their ldap_import flag changed unexpectedly.

Since the vulnerability involves bulk editing through the application, monitoring logs for bulk user edits by non-admin users can help detect exploitation attempts.

Specific commands depend on your system setup, but generally you can query the database or use API calls to check user flags. For example, if you have direct database access, you might run a SQL query like:

  • SELECT id, username, activated, ldap_import FROM users WHERE activated = 0 OR ldap_import = 1;

Additionally, reviewing application logs for bulk user edit actions performed by non-admin users can help identify suspicious activity.

Mitigation Strategies

The immediate mitigation step is to upgrade Snipe-IT to version 8.6.0 or later, where the vulnerability has been patched.

Until the upgrade can be performed, restrict the users.edit permission to trusted admin users only, preventing non-admin users from having this permission.

Monitor and audit user account flags, especially the 'activated' and 'ldap_import' flags, to detect and revert any unauthorized changes.

Review and tighten permissions related to bulk user editing to ensure non-admin users cannot modify sensitive user attributes.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48507. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart