CVE-2026-55843
Undergoing Analysis Undergoing Analysis - In Progress

Snipe-IT Privilege Escalation via Permission Overwrite

Vulnerability report for CVE-2026-55843, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.0, UsersController::update() passes a missing permission request field through NormalizePermissionsPayloadAction and PreserveUnauthorizedPrivilegedPermissionsAction in a way that can overwrite a target user’s permissions with a sparse result, allowing an administrator updating another administrator, or a user with users.edit updating a regular account, to remove the target’s administrative or granular permissions. This issue is fixed in version 8.6.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
snipeitapp snipe-it to 8.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an administrator or a user with certain edit permissions to unintentionally or maliciously remove administrative or granular permissions from other users without notification. Such improper privilege management can lead to unauthorized changes in user access controls, potentially compromising the integrity and availability of sensitive data.

In the context of compliance with standards like GDPR or HIPAA, which require strict access controls and auditability to protect personal and sensitive information, this vulnerability could undermine those requirements by enabling unauthorized privilege modifications. This could result in non-compliance due to weakened access controls and potential exposure or mishandling of protected data.

Executive Summary

CVE-2026-55843 is an improper privilege management vulnerability in the Snipe-IT asset management system affecting versions 8.4.1 and earlier.

The issue occurs in the UsersController's update() method, which passes the permission request field to NormalizePermissionsPayloadAction. If this permission field is missing, it returns an empty array that is then processed by PreserveUnauthorizedPrivilegedPermissionsAction.

This processing selectively restores only superuser or admin keys but discards all other permissions, including the admin flag itself when an admin edits another admin account without including the permission field.

As a result, an administrator can send an update request for another admin without the permission field and permanently remove the target's administrative and granular permissions without any error or notification.

Additionally, non-admin users with the users.edit permission can similarly wipe granular permissions of regular user accounts.

This vulnerability was fixed in version 8.6.0.

Impact Analysis

This vulnerability can lead to the unintended or malicious removal of administrative and granular permissions from user accounts.

An administrator updating another administrator's account without including the permission field can accidentally or deliberately strip the target user of their admin privileges, effectively locking them out of administrative functions.

Similarly, users with the users.edit permission can remove granular permissions from regular user accounts.

This can cause disruption in managing IT assets and licenses by reducing the number of users with necessary permissions, potentially impacting system integrity and availability.

Because the removal happens silently without error or notification, it may go unnoticed until operational issues arise.

Detection Guidance

This vulnerability involves the improper handling of the 'permission' field in user update requests to the Snipe-IT system. Detection involves monitoring or inspecting PUT requests to the /users/{id} endpoint to see if the 'permission' field is missing when an administrator or a user with users.edit permission updates another user's account.

You can detect potential exploitation by checking logs or capturing HTTP requests for PUT operations on /users/{id} that do not include the 'permission' field, which could indicate an attempt to remove or alter permissions improperly.

Suggested commands to detect such activity might include using network traffic inspection tools like tcpdump or Wireshark to filter HTTP PUT requests to /users/ endpoints, or searching application logs for update requests missing the 'permission' field.

  • Example tcpdump command to capture relevant HTTP traffic: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -i 'PUT /users/'
  • Use grep or similar tools on application logs to find update requests missing the 'permission' field: grep -L 'permission' /path/to/snipe-it/logs/* | grep 'PUT /users/'
Mitigation Strategies

The primary mitigation is to upgrade Snipe-IT to version 8.6.0 or later, where this vulnerability has been fixed by ensuring that user permissions are only updated if the 'permission' field is explicitly included in the update request.

Until the upgrade can be performed, administrators should carefully audit and restrict who has the ability to perform user updates, especially those with high privileges such as administrators or users with users.edit permission.

Additionally, monitoring and alerting on user update requests that omit the 'permission' field can help detect and prevent accidental or malicious removal of permissions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55843. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart