CVE-2026-48493: Self-Privilege Escalation via Profile Modification in Snipe-IT
Vulnerability ID: CVE-2026-48493
CVSS Score: 5.5
Published: 2026-06-23
A privilege escalation vulnerability in Snipe-IT versions prior to 8.6.0 allows authenticated users with profile-editing capabilities to elevate their own permissions by performing a PATCH request on their own user endpoint.
TL;DR
Authenticated users with 'users.edit' can modify their own accounts via the API to self-grant arbitrary permissions, excluding global admin/superuser roles.
Technical Details
- CWE ID: CWE-863
- Attack Vector: Network
- CVSS Score: 5.5
- EPSS Score: Not Indexed
- Impact: Privilege Escalation
- Exploit Status: poc
- KEV Status: Not Listed
Affected Systems
- Snipe-IT prior to 8.6.0
-
Snipe-IT: < 8.6.0 (Fixed in:
8.6.0)
Code Analysis
Commit: Pull Re
Ensure non-superuser/admin users cannot update their own permissions
Mitigation Strategies
- Upgrade to Snipe-IT 8.6.0 or newer
- Audit and restrict 'users.edit' permissions for non-admin accounts
- Revoke API tokens for standard users during interim mitigation period
Remediation Steps:
- Identify running Snipe-IT version using the administrative dashboard.
- Execute backup of the application database and configuration files.
- Pull the latest release of Snipe-IT (version 8.6.0 or higher).
- Run the standard database migration and upgrade commands.
- Verify that self-privilege escalation attempts are blocked by testing a non-admin account.
References
Read the full report for CVE-2026-48493 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)