Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:HSnipeitapp Snipe It
APPSnipeitapp< 8.6.0
Related vulnerabilities
RCE w Snipe-IT — Insecure Permissions w API uploadu plików
RCE w Snipe-IT via złośliwy plik backup (CVE-2025-63601)
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit...
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insu...
Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious...