GHSA-6f75-x745-xcprHighCVSS 7.1

Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users

Published
June 23, 2026
Last Modified
June 23, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

The vulnerability allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag (which determines whether or not a user can login) and the ldap_import flag, which determines whether or not the user can request a password reset.

Patches

Patched in https://github.com/grokability/snipe-it/commit/403f9c848b05274642f64450696bdcdc242a352a

🎯 Affected products1

  • composer/snipe/snipe-it:< 8.6.0

🔗 References (4)