PT-2026-51606 · Snipe-It · Snipe-It
Iltosec
+1
·
Published
2026-06-23
·
Updated
2026-06-23
·
CVE-2026-48493
CVSS v3.1
5.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Snipe-IT versions prior to 8.6.0
Description
A user possessing
users.edit and API permissions can escalate their privileges by sending a PATCH request to the '/api/v1/users/{their own id}' endpoint. This allows the user to grant themselves various permissions, such as assets.view, assets.create, reports.view, and import capabilities, although they cannot grant themselves admin or superuser status.Recommendations
Update to version 8.6.0.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Snipe-It