cbcvebase.
CVE-2026-55483
published 2026-06-23

CVE-2026-55483: Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation ### Impact The `store()` method in both the web and API…

medium
Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation

### Impact
The `store()` method in both the web and API `UsersController` only strips the superuser permission when a non-superuser creates a user. It does not strip the admin permission. This allows any authenticated user with the `users.create` permission to create a new user with full admin privileges.

The `users.create permission` may commonly be delegated to HR staff, department leads, or similar roles.

### Patches
Patched in [aea3877718](https://github.com/grokability/snipe-it/commit/aea3877718158cc2a10c2dde4597b1f439f5f6cb)

Affected

1 ranges
VendorProductVersion rangeFixed in
snipesnipe-it>= 0 < 8.6.08.6.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.