{"vulnerability": "GHSA-52fw-7fw2-fmv5", "sightings": [{"uuid": "605d5ea1-123a-4dfa-ad97-3bacadcad66b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-52fw-7fw2-fmv5", "type": "seen", "source": "https://gist.github.com/alon710/0deb8ac6eb09e699071fdbd4071e986c", "content": "# CVE-2026-48493: CVE-2026-48493: Self-Privilege Escalation via Profile Modification in Snipe-IT\n\n&gt; **CVSS Score:** 5.5\n&gt; **Published:** 2026-06-23\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48493\n\n## Summary\nA privilege escalation vulnerability in Snipe-IT versions prior to 8.6.0 allows authenticated users with profile-editing capabilities to elevate their own permissions by performing a PATCH request on their own user endpoint.\n\n## TL;DR\nAuthenticated users with 'users.edit' can modify their own accounts via the API to self-grant arbitrary permissions, excluding global admin/superuser roles.\n\n## Technical Details\n\n- **CWE ID**: CWE-863\n- **Attack Vector**: Network\n- **CVSS Score**: 5.5\n- **EPSS Score**: Not Indexed\n- **Impact**: Privilege Escalation\n- **Exploit Status**: poc\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Snipe-IT prior to 8.6.0\n- **Snipe-IT**: &lt; 8.6.0 (Fixed in: `8.6.0`)\n\n## Mitigation\n\n- Upgrade to Snipe-IT 8.6.0 or newer\n- Audit and restrict 'users.edit' permissions for non-admin accounts\n- Revoke API tokens for standard users during interim mitigation period\n\n**Remediation Steps:**\n1. Identify running Snipe-IT version using the administrative dashboard.\n2. Execute backup of the application database and configuration files.\n3. Pull the latest release of Snipe-IT (version 8.6.0 or higher).\n4. Run the standard database migration and upgrade commands.\n5. Verify that self-privilege escalation attempts are blocked by testing a non-admin account.\n\n## References\n\n- [Official GitHub Advisory Page](https://github.com/grokability/snipe-it/security/advisories/GHSA-52fw-7fw2-fmv5)\n- [Official Fix Pull Request](https://github.com/grokability/snipe-it/pull/19024)\n- [CVE Record Details](https://www.cve.org/CVERecord?id=CVE-2026-48493)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48493) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T05:42:05.000000Z"}]}