PT-2026-57271 · Snipe-It · Snipe-It
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-55843
CVSS v4.0
7.0
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Snipe-IT versions prior to 8.6.0
Description
In the IT asset and license management system, the
update() function within UsersController incorrectly handles missing permission request fields when processed through NormalizePermissionsPayloadAction and PreserveUnauthorizedPrivilegedPermissionsAction. This behavior allows an administrator updating another administrator, or a user with users.edit privileges updating a regular account, to overwrite a target user's permissions with a sparse result, effectively removing their administrative or granular permissions.Recommendations
Update to version 8.6.0.
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Snipe-It