PT-2026-57271 · Snipe-It · Snipe-It

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-55843

CVSS v4.0

7.0

High

VectorAV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.0
Description In the IT asset and license management system, the update() function within UsersController incorrectly handles missing permission request fields when processed through NormalizePermissionsPayloadAction and PreserveUnauthorizedPrivilegedPermissionsAction. This behavior allows an administrator updating another administrator, or a user with users.edit privileges updating a regular account, to overwrite a target user's permissions with a sparse result, effectively removing their administrative or granular permissions.
Recommendations Update to version 8.6.0.

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55843

Affected Products

Snipe-It