CVE-2026-48507NVD

Vulnerability Summary

Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.

Severity Level

HIGH(7.1)

Published Date

Jun 8, 2026

Last Modified

Jun 9, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.04%Probability

Root Weakness (CWE)

CWE-863: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

ScopeUnchanged

ConfidentialityNone

IntegrityLow

AvailabilityHigh

External References

https://github.com/grokability/snipe-it/commit/403f9c848b05274642f64450696bdcdc242a352a
https://github.com/grokability/snipe-it/security/advisories/GHSA-6f75-x745-xcpr

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2026-48507NVD

Vulnerability Summary

External References