CVE-2026-55483
published 2026-06-23CVE-2026-55483: Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation ### Impact The `store()` method in both the web and API…
medium
Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation ### Impact The `store()` method in both the web and API `UsersController` only strips the superuser permission when a non-superuser creates a user. It does not strip the admin permission. This allows any authenticated user with the `users.create` permission to create a new user with full admin privileges. The `users.create permission` may commonly be delegated to HR staff, department leads, or similar roles. ### Patches Patched in [aea3877718](https://github.com/grokability/snipe-it/commit/aea3877718158cc2a10c2dde4597b1f439f5f6cb)
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| snipe | snipe-it | >= 0 < 8.6.0 | 8.6.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-23
Published