{"uuid": "0b989ef0-72d3-42b9-9f8a-21c2d9383ed0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-6f75-x745-xcpr", "type": "seen", "source": "https://gist.github.com/alon710/3da2d0271b4ce13266c6eb8e48512bfd", "content": "# CVE-2026-48507: CVE-2026-48507: Incorrect Authorization in Snipe-IT Bulk User Edit and Merge Features\n\n&gt; **CVSS Score:** 7.1\n&gt; **Published:** 2026-06-23\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48507\n\n## Summary\nAn incorrect authorization vulnerability (CWE-863) in Snipe-IT versions prior to 8.6.0 allows authenticated, low-privileged users with granular 'users.edit' permissions to modify restricted user flags ('activated' and 'ldap_import') and merge high-privileged administrator accounts into standard user accounts. This allows an attacker to lock administrators out of the system or completely hijack administrator accounts.\n\n## TL;DR\nLow-privileged users with 'users.edit' permissions in Snipe-IT &lt; 8.6.0 can deactivate administrative accounts or hijack them via bulk edit and user merge features, leading to complete Denial of Service or horizontal privilege escalation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-863 (Incorrect Authorization)\n- **Attack Vector**: Network / Remote\n- **CVSS Score**: 7.1 (High)\n- **EPSS Score**: 0.00194 (Percentile: 9.18%)\n- **Impact**: Privilege Escalation / Denial of Service (Administrator Lockout)\n- **Exploit Status**: Proof-of-Concept via Integration Tests\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Snipe-IT Asset Management System (versions prior to 8.6.0)\n- **Snipe-IT**: &lt; 8.6.0 (Fixed in: `8.6.0`)\n\n## Mitigation\n\n- Upgrade Snipe-IT to version 8.6.0 or later immediately\n- Revoke 'users.edit' and 'users.delete' permissions from low-privileged users if upgrading is not immediately possible\n- Deploy WAF rules or reverse proxy blocks on endpoints '/users/bulkeditsave' and '/users/merge/save' for non-admin accounts\n\n**Remediation Steps:**\n1. Check current Snipe-IT version using administrative panel or command line\n2. If version is less than 8.6.0, run the database and codebase update tools to move to 8.6.0\n3. Verify permissions within 'Settings &gt; Groups' to check if low-privileged users possess access to bulk-edit and user-merge actions\n4. Monitor application logs for POST actions on '/users/bulkeditsave' containing 'activated=0' payload parameters\n\n## References\n\n- [GitHub Security Advisory (GHSA-6f75-x745-xcpr)](https://github.com/grokability/snipe-it/security/advisories/GHSA-6f75-x745-xcpr)\n- [Official Patch Commit](https://github.com/grokability/snipe-it/commit/403f9c848b05274642f64450696bdcdc242a352a)\n- [CVE.org Record](https://www.cve.org/CVERecord?id=CVE-2026-48507)\n- [Wiz Vulnerability Database Details](https://www.wiz.io/vulnerability-database/cve/cve-2026-48507)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48507) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T02:11:40.000000Z"}