Authorization Flaw in Snipe-IT IT Asset Management System
CVE-2026-48493

5.5MEDIUM

Key Information:

Vendor

Grokability

Status
Snipe-it
Vendor
CVE Published:
23 June 2026

What is CVE-2026-48493?

The vulnerability in Snipe-IT allows a user with limited permissions (users.edit) to exploit a flaw in the API. By sending a PATCH request to /api/v1/users/{their_own_id}, the user can grant themselves unnecessary permissions, such as creating assets or accessing reports. This flaw poses a significant risk as it permits unauthorized access to sensitive functionalities within the application. The issue has been addressed in version 8.6.0, making it crucial for users to update to this version to maintain security.

Affected Version(s)

snipe-it < 8.6.0

References

https://github.com/grokability/snipe-it/security/advisori...
x_refsource_CONFIRM
https://github.com/grokability/snipe-it/pull/19024
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.