HIGH 7.1

GHSA-6f75-x745-xcpr

Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users

Details

### Impact The vulnerability allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset.

### Patches Patched in https://github.com/grokability/snipe-it/commit/403f9c848b05274642f64450696bdcdc242a352a

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / snipe/snipe-it

Introduced in: 0 Fixed in: 8.6.0

Fix composer require snipe/snipe-it:^8.6.0

References

https://github.com/grokability/snipe-it/security/advisories/GHSA-6f75-x745-xcpr [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-48507 [ADVISORY]
https://github.com/grokability/snipe-it/commit/403f9c848b05274642f64450696bdcdc242a352a [WEB]
https://github.com/grokability/snipe-it [PACKAGE]