GHSA-hf68-g98v-wp9gMedium

Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation

Published
June 23, 2026
Last Modified
June 23, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

The store() method in both the web and API UsersController only strips the superuser permission when a non-superuser creates a user. It does not strip the admin permission. This allows any authenticated user with the users.create permission to create a new user with full admin privileges.

The users.create permission may commonly be delegated to HR staff, department leads, or similar roles.

Patches

Patched in aea3877718

🎯 Affected products1

  • composer/snipe/snipe-it:< 8.6.0

🔗 References (3)