Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-48507

CVE-2026-48507: Snipe-IT Auth Bypass Vulnerability

CVE-2026-48507 is an authentication bypass flaw in Snipeitapp Snipe-IT that allows non-admin users to lock out all administrators from the system. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-48507 Overview

CVE-2026-48507 is an authorization flaw [CWE-863] in Snipe-IT, an open-source IT asset and license management system. The vulnerability affects all versions prior to 8.6.0. A low-privileged user holding only the granular users.edit permission can modify the activated and ldap_import flags on other accounts, including administrators. By flipping the activated flag, the attacker prevents admins from logging in, and by toggling the ldap_import flag, the attacker blocks password reset requests. The result is a complete administrative lockout of the Snipe-IT instance from a non-admin context.

Critical Impact

A user with only users.edit permission can disable every administrator account and block password resets, locking the entire organization out of its asset management platform.

Affected Products

  • Snipe-IT versions prior to 8.6.0
  • Vendor: snipeitapp
  • CPE: cpe:2.3:a:snipeitapp:snipe-it:*:*:*:*:*:*:*:*

Discovery Timeline

Technical Details for CVE-2026-48507

Vulnerability Analysis

The flaw is a broken access control issue in the user edit workflow. Snipe-IT exposes granular permissions so administrators can delegate specific user-management functions. The users.edit permission is intended to allow a delegated operator to update basic profile attributes on user records. However, the edit endpoint does not segregate sensitive account-state fields from general profile fields. The activated flag, which gates login access, and the ldap_import flag, which governs password reset eligibility, are both writable through the same endpoint without an additional authorization check. As a result, a holder of users.edit can modify the security posture of any account, including superusers, beyond the privilege level granted to them.

Root Cause

The root cause is missing field-level authorization on the user update handler. The application checks whether the caller has users.edit but does not verify whether the caller has the higher privilege required to alter account state flags such as activated and ldap_import. This is a classic incorrect authorization pattern [CWE-863] in which a single coarse permission gate protects fields with very different security impact.

Attack Vector

Exploitation requires an authenticated session with the users.edit permission and network reachability to the Snipe-IT web interface. The attacker submits a user update request targeting administrator accounts and sets activated=0 for each admin. The attacker can additionally toggle ldap_import=1 to disable the in-app password reset path. Once all admins are locked out, recovery requires database-level intervention. The advisory and patch are linked in the GitHub Security Advisory GHSA-6f75-x745-xcpr.

Detection Methods for CVE-2026-48507

Indicators of Compromise

  • Audit log entries showing changes to the activated field on administrator accounts performed by non-admin users.
  • Audit log entries showing changes to the ldap_import field on accounts that were not provisioned through Lightweight Directory Access Protocol (LDAP).
  • Sudden inability of multiple administrators to authenticate within a short time window.
  • HTTP PUT or PATCH requests to /users/{id} originating from accounts that hold only users.edit.

Detection Strategies

  • Review Snipe-IT activity logs for update actions on user records where the activated or ldap_import field changed and the actor lacks the superuser role.
  • Correlate web server access logs with application audit logs to identify the source IP and session associated with suspicious user edits.
  • Alert on any state change that disables an administrator account, regardless of actor.

Monitoring Recommendations

  • Forward Snipe-IT application logs and web access logs to a centralized logging or SIEM platform for retention and correlation.
  • Create alerts for failed administrator logins exceeding a baseline threshold, which can indicate post-exploitation lockout.
  • Monitor for password reset requests that fail due to the ldap_import flag being unexpectedly set.

How to Mitigate CVE-2026-48507

Immediate Actions Required

  • Upgrade Snipe-IT to version 8.6.0 or later, which contains the fix in commit 403f9c848b05274642f64450696bdcdc242a352a.
  • Audit all accounts that hold the granular users.edit permission and revoke it where it is not strictly required.
  • Review the current state of the activated and ldap_import flags on all administrator accounts to confirm no unauthorized changes occurred.

Patch Information

The vendor released the fix in Snipe-IT 8.6.0. The change is published in grokability/snipe-it commit 403f9c84 and described in GHSA-6f75-x745-xcpr. The patch enforces additional authorization on sensitive account-state fields so that holders of users.edit alone cannot modify them.

Workarounds

  • Restrict the users.edit permission to fully trusted operators until the upgrade is applied.
  • Place the Snipe-IT web interface behind network access controls so that only known administrative networks can reach user management endpoints.
  • Maintain an out-of-band administrator account that is not editable through the standard workflow, and store recovery procedures for re-enabling locked accounts via direct database access.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.