SB2026060947 - Multiple vulnerabilities in snipe-it

Security Bulletin ID SB2026060947

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 5

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 5 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-48507)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper access control in the bulk user editing functionality when modifying user account flags. A remote user can change the activated and ldap_import flags for other users to cause a denial of service.

The issue allows a user with only the granular users.edit permission to lock administrators out of the instance.

2) Improper access control (CVE-ID: CVE-2026-48493)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in the /api/v1/users/{their_own_id} API endpoint when processing PATCH requests for a user's own account. A remote privileged user can send a crafted PATCH request to grant themselves additional permissions and escalate privileges.

The issue allows assignment of permissions other than admin and superuser.

3) Improper access control (CVE-ID: CVE-2026-48492)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the GET /api/v1/{object}/selectlist API endpoint when handling authenticated requests. A remote user can send a request to retrieve a paginated list of user accounts to disclose sensitive information.

The issue exposes usernames, display names, employee numbers, and user IDs for active accounts. If FMCS is disabled, all active accounts are exposed; if FMCS is enabled, exposure is limited to accounts within the same company.

4) Improper access control (CVE-ID: CVE-2026-49976)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to take over another user's account.

The vulnerability exists due to improper access control in the CSV user import update mode in UserImporter.php when processing a crafted CSV import. A remote privileged user can upload a CSV that overwrites a non-admin user's email address to take over another user's account.

Exploitation requires the import permission, and the issue affects non-admin, non-superuser target accounts.

5) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2026-49870)

CWE-ID: CWE-307 - Improper Restriction of Excessive Authentication Attempts

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass two-factor authentication and obtain a fully authenticated session.

The vulnerability exists due to improper access control in the POST /two-factor endpoint when processing TOTP verification requests. A remote user can submit unlimited TOTP guesses to bypass two-factor authentication and obtain a fully authenticated session.

If two-factor authentication is configured in optional mode, the account owner can disable two-factor authentication without OTP re-verification after login.

Remediation

Install update from vendor's website.

SB2026060947 - Multiple vulnerabilities in snipe-it

Breakdown by Severity

Description

Remediation

References

Please verify you're human