PT-2026-51643 · Packagist · Snipe/Snipe-It

Published

2026-06-23

Updated

2026-06-23

CVE-2026-55483

CVSS v4.0

4.9

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Impact

The store() method in both the web and API UsersController only strips the superuser permission when a non-superuser creates a user. It does not strip the admin permission. This allows any authenticated user with the users.create permission to create a new user with full admin privileges.

The users.create permission may commonly be delegated to HR staff, department leads, or similar roles.

Patches

Patched in aea3877718

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-55483

GHSA-HF68-G98V-WP9G

Affected Products

Snipe/Snipe-It

PT-2026-51643 · Packagist · Snipe/Snipe-It

CVE-2026-55483

Impact

Patches

Weakness Enumeration

Related Identifiers

Affected Products

References · 4