https://vulnerability.circl.lu/sightings/feedMost recent sightings.2026-06-24T22:33:56.332747+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent sightings.https://vulnerability.circl.lu/sighting/0b989ef0-72d3-42b9-9f8a-21c2d9383ed0/export0b989ef0-72d3-42b9-9f8a-21c2d9383ed02026-06-24T22:33:56.341146+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "0b989ef0-72d3-42b9-9f8a-21c2d9383ed0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-6f75-x745-xcpr", "type": "seen", "source": "https://gist.github.com/alon710/3da2d0271b4ce13266c6eb8e48512bfd", "content": "# CVE-2026-48507: CVE-2026-48507: Incorrect Authorization in Snipe-IT Bulk User Edit and Merge Features\n\n> **CVSS Score:** 7.1\n> **Published:** 2026-06-23\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48507\n\n## Summary\nAn incorrect authorization vulnerability (CWE-863) in Snipe-IT versions prior to 8.6.0 allows authenticated, low-privileged users with granular 'users.edit' permissions to modify restricted user flags ('activated' and 'ldap_import') and merge high-privileged administrator accounts into standard user accounts. This allows an attacker to lock administrators out of the system or completely hijack administrator accounts.\n\n## TL;DR\nLow-privileged users with 'users.edit' permissions in Snipe-IT < 8.6.0 can deactivate administrative accounts or hijack them via bulk edit and user merge features, leading to complete Denial of Service or horizontal privilege escalation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-863 (Incorrect Authorization)\n- **Attack Vector**: Network / Remote\n- **CVSS Score**: 7.1 (High)\n- **EPSS Score**: 0.00194 (Percentile: 9.18%)\n- **Impact**: Privilege Escalation / Denial of Service (Administrator Lockout)\n- **Exploit Status**: Proof-of-Concept via Integration Tests\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Snipe-IT Asset Management System (versions prior to 8.6.0)\n- **Snipe-IT**: < 8.6.0 (Fixed in: `8.6.0`)\n\n## Mitigation\n\n- Upgrade Snipe-IT to version 8.6.0 or later immediately\n- Revoke 'users.edit' and 'users.delete' permissions from low-privileged users if upgrading is not immediately possible\n- Deploy WAF rules or reverse proxy blocks on endpoints '/users/bulkeditsave' and '/users/merge/save' for non-admin accounts\n\n**Remediation Steps:**\n1. Check current Snipe-IT version using administrative panel or command line\n2. If version is less than 8.6.0, run the database and codebase update tools to move to 8.6.0\n3. Verify permissions within 'Settings > Groups' to check if low-privileged users possess access to bulk-edit and user-merge actions\n4. Monitor application logs for POST actions on '/users/bulkeditsave' containing 'activated=0' payload parameters\n\n## References\n\n- [GitHub Security Advisory (GHSA-6f75-x745-xcpr)](https://github.com/grokability/snipe-it/security/advisories/GHSA-6f75-x745-xcpr)\n- [Official Patch Commit](https://github.com/grokability/snipe-it/commit/403f9c848b05274642f64450696bdcdc242a352a)\n- [CVE.org Record](https://www.cve.org/CVERecord?id=CVE-2026-48507)\n- [Wiz Vulnerability Database Details](https://www.wiz.io/vulnerability-database/cve/cve-2026-48507)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48507) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T02:11:40.000000Z"}2026-06-24T02:11:40+00:00https://vulnerability.circl.lu/sighting/cb5acf17-8b6c-47b1-a459-c4c770e5bf7d/exportcb5acf17-8b6c-47b1-a459-c4c770e5bf7d2026-06-24T22:33:56.339775+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "cb5acf17-8b6c-47b1-a459-c4c770e5bf7d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-6f75-x745-xcpr", "type": "seen", "source": "https://gist.github.com/alon710/e0c0df432c86420f7e6e4e56d0b5a192", "content": "# CVE-2026-48507: CVE-2026-48507: Incorrect Authorization in Snipe-IT Bulk User Edit and Merge Features\n\n> **CVSS Score:** 7.1\n> **Published:** 2026-06-23\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48507\n\n## Summary\nAn incorrect authorization vulnerability (CWE-863) in Snipe-IT versions prior to 8.6.0 allows authenticated, low-privileged users with granular 'users.edit' permissions to modify restricted user flags ('activated' and 'ldap_import') and merge high-privileged administrator accounts into standard user accounts. This allows an attacker to lock administrators out of the system or completely hijack administrator accounts.\n\n## TL;DR\nLow-privileged users with 'users.edit' permissions in Snipe-IT < 8.6.0 can deactivate administrative accounts or hijack them via bulk edit and user merge features, leading to complete Denial of Service or horizontal privilege escalation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-863 (Incorrect Authorization)\n- **Attack Vector**: Network / Remote\n- **CVSS Score**: 7.1 (High)\n- **EPSS Score**: 0.00194 (Percentile: 9.18%)\n- **Impact**: Privilege Escalation / Denial of Service (Administrator Lockout)\n- **Exploit Status**: Proof-of-Concept via Integration Tests\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Snipe-IT Asset Management System (versions prior to 8.6.0)\n- **Snipe-IT**: < 8.6.0 (Fixed in: `8.6.0`)\n\n## Mitigation\n\n- Upgrade Snipe-IT to version 8.6.0 or later immediately\n- Revoke 'users.edit' and 'users.delete' permissions from low-privileged users if upgrading is not immediately possible\n- Deploy WAF rules or reverse proxy blocks on endpoints '/users/bulkeditsave' and '/users/merge/save' for non-admin accounts\n\n**Remediation Steps:**\n1. Check current Snipe-IT version using administrative panel or command line\n2. If version is less than 8.6.0, run the database and codebase update tools to move to 8.6.0\n3. Verify permissions within 'Settings > Groups' to check if low-privileged users possess access to bulk-edit and user-merge actions\n4. Monitor application logs for POST actions on '/users/bulkeditsave' containing 'activated=0' payload parameters\n\n## References\n\n- [GitHub Security Advisory (GHSA-6f75-x745-xcpr)](https://github.com/grokability/snipe-it/security/advisories/GHSA-6f75-x745-xcpr)\n- [Official Patch Commit](https://github.com/grokability/snipe-it/commit/403f9c848b05274642f64450696bdcdc242a352a)\n- [CVE.org Record](https://www.cve.org/CVERecord?id=CVE-2026-48507)\n- [Wiz Vulnerability Database Details](https://www.wiz.io/vulnerability-database/cve/cve-2026-48507)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48507) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T02:22:36.000000Z"}2026-06-24T02:22:36+00:00