PT-2026-57264 · Snipe-It · Snipe-It
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-55460
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
Snipe-IT versions prior to 8.6.2
Description
An authenticated non-admin user possessing
users.view and users.edit permissions, but lacking users.delete permissions, can perform a soft-delete of another non-admin user. This occurs because the BulkUsersController::destroy() function only authorizes the update action, allowing the user to send a POST request to the '/users/bulksave' endpoint with the delete user variable set to 1.Recommendations
Update to version 8.6.2.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Snipe-It