HIGH 7.1

CVE-2026-48507: Snipe-IT Privilege Escalation Allows Admin Lockout (CVSS 7.1)

Snipe-IT, a popular IT asset and license management system, has a privilege escalation flaw that lets low-privileged users with basic editing permissions lock all administrators out of the system. A user granted only the `users.edit` permission can disable admin accounts by toggling login flags and blocking password reset options, effectively taking control of the instance. The vulnerability affects all versions before 8.6.0 and is fixed in that release.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Weaknesses (CWE)
CWE-863
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-48507 is an authorization bypass vulnerability in Snipe-IT arising from insufficient permission validation when editing user account flags. The `users.edit` permission grants access to modify the `activated` flag (controls login capability) and the `ldap_import` flag (controls password reset eligibility). Because the application fails to restrict these sensitive modifications to administrative users, a non-admin can systematically disable all administrator accounts, rendering the instance inaccessible to legitimate admins. The vulnerability is classified under CWE-863 (Incorrect Authorization).

Business impact

This vulnerability poses a severe operational risk: a single user with minimal permissions can deny all administrators access to their asset management system. This constitutes a complete denial of service at the administrative level, preventing inventory tracking, license compliance monitoring, and user management. Recovery requires external intervention or system restoration from backup. Organizations relying on Snipe-IT for compliance and IT hygiene face potential compliance violations during lockout periods, along with downtime costs and remediation effort.

Affected systems

Snipe-IT versions prior to 8.6.0 are affected. Any deployment running an older version is at risk if users hold the `users.edit` granular permission. The severity depends on permission assignment practices—organizations that carefully limit this permission to trusted personnel face lower risk than those using permissive role configurations.

Exploitability

The vulnerability requires valid credentials and the `users.edit` permission, so external unauthenticated exploitation is not possible. However, the barrier to exploitation is low once a user holds that permission: no special tools or interaction are needed—an attacker simply edits user flags through the normal admin interface. This is a local, authenticated attack with straightforward execution paths.

Remediation

Upgrade Snipe-IT to version 8.6.0 or later, which contains the patch. Before upgrading, audit your user permission assignments to ensure the `users.edit` permission is granted only to trusted administrators. Consider implementing additional access controls or monitoring for changes to administrative user accounts in your pre-upgrade environment.

Patch guidance

Snipe-IT version 8.6.0 and later include the fix. Follow the vendor's standard upgrade procedure. Test the patch in a non-production environment first to ensure compatibility with your configuration and integrations. After upgrading, verify that administrative accounts are accessible and that user editing functionality works as expected.

Detection guidance

Review audit logs for suspicious user account modifications, particularly disabled `activated` flags on administrative accounts or changes to `ldap_import` settings made by non-administrative users. Monitor for access attempts by administrators to accounts that were recently disabled. If Snipe-IT logs are forwarded to a SIEM, create alerts for user deactivations performed by accounts without administrative roles.

Why prioritize this

This vulnerability merits urgent attention despite moderate technical barriers to exploitation. The impact—complete admin lockout—is categorical and business-critical. Organizations should prioritize patching based on: (1) how widely the `users.edit` permission is distributed, (2) trust levels of current permission holders, and (3) the criticality of Snipe-IT to IT operations and compliance. High-trust environments may defer slightly, but broad permission distribution warrants immediate action.

Risk score, explained

The CVSS 3.1 score of 7.1 (HIGH) reflects a network-accessible vulnerability requiring low-privilege authentication, causing high availability impact (denial of service to administrators) with minimal integrity risk. The base vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H balances the legitimate access requirement against the severe operational consequence. The score does not account for organizational context—actual risk varies with permission governance and system criticality.

Frequently asked questions

Do we need to upgrade immediately if we restrict `users.edit` to only our IT administrators?

Patching remains important for defense-in-depth, but the immediate risk is lower in strictly governed environments. However, account compromises, insider threats, or configuration drift could expose the permission to unintended users. Plan an upgrade on a regular maintenance cycle, but prioritize testing over rushing it if your current permission controls are tight.

What's the difference between the `activated` and `ldap_import` flags, and why can an attacker use both?

The `activated` flag directly disables login for a user account. The `ldap_import` flag controls whether password reset requests are honored—disabling it prevents admins from regaining access via password reset mechanisms. Together, they seal off both the front door (login) and the back door (password recovery), making account recovery impossible without system-level intervention.

Is there a workaround if we can't patch immediately?

No safe workaround eliminates the risk. You can reduce exposure by removing the `users.edit` permission from all non-administrative users and auditing current assignments. However, only the patch addresses the underlying authorization flaw. Prioritize patching within your next scheduled maintenance window.

Will the patch affect our existing user roles and permissions?

The patch corrects permission validation logic, not permission definitions. Your existing role-based access control configuration will remain unchanged. Test in a staging environment to confirm compatibility with your custom roles and integrations, as is standard practice for any version upgrade.

This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. CVE-2026-48507 information reflects publicly available data as of the publication date. Patch availability, version numbers, and upgrade procedures should be verified against official Snipe-IT vendor advisories and documentation. Security teams should conduct their own testing and validation before deploying patches in production environments. Actual risk varies based on system configuration, permission governance, network access controls, and organizational threat models. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).