CVE-2026-55843 PUBLISHED

Snipe-IT: Improper Privilege Management

Assigner: GitHub_M
Reserved: 17.06.2026 Published: 10.07.2026 Updated: 10.07.2026

Snipe-IT is an IT asset/license management system. Prior to 8.6.0, UsersController::update() passes a missing permission request field through NormalizePermissionsPayloadAction and PreserveUnauthorizedPrivilegedPermissionsAction in a way that can overwrite a target user’s permissions with a sparse result, allowing an administrator updating another administrator, or a user with users.edit updating a regular account, to remove the target’s administrative or granular permissions. This issue is fixed in version 8.6.0.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7

Product Status

Vendor grokability
Product snipe-it
Versions
  • Version < 8.6.0 is affected

References

Problem Types

  • CWE-269: Improper Privilege Management CWE