How is CVE-2026-48507 exploited?

Network reachability (required): The attacker must reach the Snipe-IT web interface over the network; the vulnerable bulk-edit endpoint is exposed via HTTP. Authentication (required): The attacker must hold a valid account with at least the low-privilege `users.edit` granular permission; any such account is sufficient. Victim interaction (not-required): No victim action is needed; the attacker submits the bulk-edit request directly without any social-engineering step. Attack complexity (info): Exploitation is straightforward and condition-free: no race conditions or special environmental factors need to align for the attack to succeed.

What is the impact of CVE-2026-48507?

Sets the `activated` flag to false on all admin accounts, preventing every admin from logging into the instance. Sets the `ldap_import` flag on admin accounts, blocking LDAP-authenticated admins from requesting a password reset, removing the self-service recovery path. Results in a full administrative lockout of the Snipe-IT instance, halting asset and license management operations until an out-of-band database intervention restores at least one admin account.

Back to search

HIGHCVE-2026-48507Published 2026-06-08Modified 2026-06-08CNA GitHub_M

CVE-2026-48507: Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users

Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authorization-bypass vulnerability in Snipe-IT, the open-source IT asset and license management system, allows any user holding the low-privilege `users.edit` permission to flip two sensitive account-control flags on other user accounts: `activated` (controls whether a user can log in) and `ldap_import` (controls whether a user can reset their password). The attack is reachable over the network with no elevated privileges beyond that single granular permission, and no victim interaction is required. Successful exploitation lets an attacker disable every admin account in the instance, achieving a complete authentication lockout. HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that package Snipe-IT. Any image found running an affected version of grokability/snipe-it is flagged immediately.

Available

Triage

HarborGuard scores this finding at CVSS 7.1 (HIGH) and weights it against each environment's compliance policy to determine routing priority. Triage results are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without any manual intervention required.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Snipe-IT web interface over the network; the vulnerable bulk-edit endpoint is exposed via HTTP.
AuthenticationRequired
The attacker must hold a valid account with at least the low-privilege `users.edit` granular permission; any such account is sufficient.
Victim interactionNot required
No victim action is needed; the attacker submits the bulk-edit request directly without any social-engineering step.
Attack complexityDetail
Exploitation is straightforward and condition-free: no race conditions or special environmental factors need to align for the attack to succeed.

Blast Radius

Sets the `activated` flag to false on all admin accounts, preventing every admin from logging into the instance.
Sets the `ldap_import` flag on admin accounts, blocking LDAP-authenticated admins from requesting a password reset, removing the self-service recovery path.
Results in a full administrative lockout of the Snipe-IT instance, halting asset and license management operations until an out-of-band database intervention restores at least one admin account.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version exists for CVE-2026-48507 at this time, HarborGuard continuously monitors the advisory and will make a patched-image rebuild available automatically when grokability publishes a fix. Until then, compensating controls are worth considering: network policy rules can restrict access to the Snipe-IT bulk-edit endpoint so that only known-good source CIDRs can reach it; egress filtering can limit lateral movement if a locked-out scenario leads to further incident response activity. Organizations running Snipe-IT should also audit which accounts hold the `users.edit` permission and revoke it from any account that does not strictly require it, reducing the pool of principals who could trigger this vulnerability. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and PR against affected workloads will be generated automatically once the upstream patch lands.

See how HarborGuard automates this

Affected packages

grokability / snipe-it
< 8.6.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

References

Metrics

Get notified