CVE-2026-48507
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
In the Snipe-IT IT asset management system, versions prior to 8.6.0 have a vulnerability that allows a non-admin user with only the `users.edit` permission to lock all admins out by editing the `activated` flag and the `ldap_import` flag. Version 8.6.0 contains a patch.
Risk Assessment
The organization may lose control over the asset management system, leading to potential downtimes and access issues to critical functions. Locking out admins may also impact data security.
Recommendation
It is recommended to upgrade to version 8.6.0 or later to mitigate this vulnerability. Additionally, reviewing user permissions in the system is advisable.
Original NVD description (English source)
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.

