CVE-2026-48507 HIGH

CVE-2026-48507: Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users

Vendor Grokability
Product snipe-it
Weakness CWE-863 · Incorrect authorization
Published June 8, 2026
Last update June 8, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.

Key dates

02Disclosure timeline

June 8, 2026 CVE published
June 8, 2026 Record updated