CVE-2026-48507
published 2026-06-08CVE-2026-48507: Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit`…
PriorityP339high7.1CVSS 3.1
AVNACLPRLUINSUCNILAH
EPSS
0.19%
9.3th percentile
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grokability | snipe-it | < 8.6.0 | 8.6.0 |
| snipe | snipe-it | >= 0 < 8.6.0 | 8.6.0 |
| snipeitapp | snipe-it | < 8.6.0 | 8.6.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
ghsa·2026-06-23
CVE-2026-48507 [HIGH] CWE-863 Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
### Impact
The vulnerability allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset.
### Patches
Patched in https://github.com/grokability/snipe-it/commit/403f9c848b05274642f64450696bdcdc242a352a
VulDB
Grokability Snipe-IT up to 8.5.x Password Reset authorization (GHSA-6f75-x745-xcpr)
vuldb·2026-06-08·CVSS 7.1
CVE-2026-48507 [HIGH] Grokability Snipe-IT up to 8.5.x Password Reset authorization (GHSA-6f75-x745-xcpr)
A vulnerability was found in Grokability Snipe-IT up to 8.5.x and classified as problematic. Affected by this issue is some unknown functionality of the component Password Reset Handler. The manipulation results in incorrect authorization.
This vulnerability is reported as CVE-2026-48507. The attack can be launched remotely. No exploit exists.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-08
Published