Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Snipe-IT: Low-Privileged Users Can Take Over Admin Accounts
CVE-2025-15602
GHSA-5448-v74m-7mv7
GHSA-5448-v74m-7mv7
Summary
An attacker can use a malicious API request to change a Super Admin's email address, then use a password reset to gain complete control of the Snipe-IT instance. This could happen if a low-privileged user has access to the vulnerable version of Snipe-IT, version 8.3.7 or earlier. To fix this, upgrade to Snipe-IT version 8.3.7 or later.
What to do
- Update snipe snipe-it to version 8.3.7.
- Update snipe snipe/snipe-it to version 8.3.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| snipe | snipe-it | <= 8.3.7 | 8.3.7 |
| snipe | snipe/snipe-it | <= 8.3.7 | 8.3.7 |
Original title
Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment
Original description
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-915
- https://snipeitapp.com/
- https://github.com/grokability/snipe-it/releases/tag/v8.3.7
- https://www.vulncheck.com/advisories/snipe-it-mass-assignment-vulnerability-lead...
- https://nvd.nist.gov/vuln/detail/CVE-2025-15602
- https://snipeitapp.com
- https://github.com/advisories/GHSA-5448-v74m-7mv7
- https://github.com/grokability/snipe-it Product
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026