PT-2026-57264 · Snipe-It · Snipe-It

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-55460

CVSS v3.1

7.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.2
Description An authenticated non-admin user possessing users.view and users.edit permissions, but lacking users.delete permissions, can perform a soft-delete of another non-admin user. This occurs because the BulkUsersController::destroy() function only authorizes the update action, allowing the user to send a POST request to the '/users/bulksave' endpoint with the delete user variable set to 1.
Recommendations Update to version 8.6.2.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55460

Affected Products

Snipe-It