CVE-2026-48507: CVE-2026-48507: Incorrect Authorization in Snipe-IT Bulk User Edit and Merge Features

CVE-2026-48507: Incorrect Authorization in Snipe-IT Bulk User Edit and Merge Features

Vulnerability ID: CVE-2026-48507
CVSS Score: 7.1
Published: 2026-06-23

An incorrect authorization vulnerability (CWE-863) in Snipe-IT versions prior to 8.6.0 allows authenticated, low-privileged users with granular 'users.edit' permissions to modify restricted user flags ('activated' and 'ldap_import') and merge high-privileged administrator accounts into standard user accounts. This allows an attacker to lock administrators out of the system or completely hijack administrator accounts.

TL;DR

Low-privileged users with 'users.edit' permissions in Snipe-IT < 8.6.0 can deactivate administrative accounts or hijack them via bulk edit and user merge features, leading to complete Denial of Service or horizontal privilege escalation.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-863 (Incorrect Authorization)
• Attack Vector: Network / Remote
• CVSS Score: 7.1 (High)
• EPSS Score: 0.00194 (Percentile: 9.18%)
• Impact: Privilege Escalation / Denial of Service (Administrator Lockout)
• Exploit Status: Proof-of-Concept via Integration Tests
• KEV Status: Not Listed

Affected Systems

• Snipe-IT Asset Management System (versions prior to 8.6.0)
• Snipe-IT: < 8.6.0 (Fixed in: 8.6.0)

Code Analysis

Commit: 403f9c8

Fix bulk update and merge authorization checks

Exploit Details

• GitHub Security Advisory Integration Tests: Integration test cases demonstrating deactivation of admins and merging of accounts by non-admins.

Mitigation Strategies

• Upgrade Snipe-IT to version 8.6.0 or later immediately
• Revoke 'users.edit' and 'users.delete' permissions from low-privileged users if upgrading is not immediately possible
• Deploy WAF rules or reverse proxy blocks on endpoints '/users/bulkeditsave' and '/users/merge/save' for non-admin accounts

Remediation Steps:

1. Check current Snipe-IT version using administrative panel or command line
2. If version is less than 8.6.0, run the database and codebase update tools to move to 8.6.0
3. Verify permissions within 'Settings > Groups' to check if low-privileged users possess access to bulk-edit and user-merge actions
4. Monitor application logs for POST actions on '/users/bulkeditsave' containing 'activated=0' payload parameters

References

• GitHub Security Advisory (GHSA-6f75-x745-xcpr)
• Official Patch Commit
• CVE.org Record
• Wiz Vulnerability Database Details

---

Read the full report for CVE-2026-48507 on our website for more details including interactive diagrams and full exploit analysis.