CVE Catalog

CVE-2026-48507

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

11th percentile - higher than 11% of all known CVEs

Summary

In the Snipe-IT IT asset management system, versions prior to 8.6.0 have a vulnerability that allows a non-admin user with only the `users.edit` permission to lock all admins out by editing the `activated` flag and the `ldap_import` flag. Version 8.6.0 contains a patch.

Risk Assessment

The organization may lose control over the asset management system, leading to potential downtimes and access issues to critical functions. Locking out admins may also impact data security.

Recommendation

It is recommended to upgrade to version 8.6.0 or later to mitigate this vulnerability. Additionally, reviewing user permissions in the system is advisable.

Original NVD description (English source)

Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS