high · 7.1CVE-2026-48507Jun 26, 2026

CVE-2026-48507: Snipe-IT Bulk User Edit Incorrect Authorization

Shubham Kandhare
Security Engagement Manager, SecureLayer7

A low-privileged Snipe-IT user with only the 'users.edit' permission can bulk-disable the 'activated' and 'ldap_import' flags on every admin account, locking all administrators out of the instance wit

Packagesnipe/snipe-it
Ecosystemcomposer
Affected< 8.6.0
Fixed in8.6.0
CVE-2026-48507: Snipe-IT Bulk User Edit Incorrect Authorization

The problem

Snipe-IT's per-user edit path checks the `canEditAuthFields` policy before allowing changes to sensitive flags like `activated` (controls login) and `ldap_import` (controls password-reset eligibility). That check was simply absent in `BulkUsersController.php`.

Any authenticated user holding only the granular `users.edit` permission could POST to the bulk-edit endpoint and flip those flags across every admin account in one request, producing a full administrative lockout. Recovery requires direct database intervention.

Proof of concept

http
POST /users/bulkeditsave HTTP/1.1
Host: snipe-it.example.com
Cookie: <session of low-priv user with users.edit>
Content-Type: application/x-www-form-urlencoded

ids%5B%5D=1&ids%5B%5D=2&ids%5B%5D=3&activated=0&ldap_import=0

The bulk-edit controller used a helper (`conditionallyAddItem()`) to build a mass-update array from raw request input. Because `activated` and `ldap_import` were passed straight into that array, the ORM applied them to every listed user ID without ever calling the `canEditAuthFields` authorization policy that the single-user edit path enforces.

The patch (commit 403f9c8) adds an explicit superuser/admin check inside the bulk-edit loop, mirroring the guard already present on the individual-user update path. This is CWE-863: the system authenticated the user correctly but did not verify they were authorized to modify those specific fields on those specific accounts.

The fix

Upgrade to Snipe-IT 8.6.0 or later. The patch adds the missing `canEditAuthFields` authorization check inside `BulkUsersController.php` so that admin-only flags are guarded in bulk operations the same way they are in single-user edits. Until you can upgrade, revoke the `users.edit` permission from any account that does not strictly require it.

Reported by grokability security team.

References: [1][2][3][4]