NIXPKGS-2026-0566

GitHub issue published on 8 Mar 2026

Permalink CVE-2025-15602

updated 1 week ago by @mweinelt Activity log

Created automatic suggestion 1 week, 1 day ago
@mweinelt accepted 1 week ago
@mweinelt published on GitHub 1 week ago

Snipe-IT < 8.3.7 Mass Assignment Vulnerability Leading to Privilege Escalation

Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance.

References

https://www.vulncheck.com/advisories/snipe-it-mass-assignment-vulnerability-leading-to-privilege-escalation third-party-advisory
https://github.com/grokability/snipe-it/releases/tag/v8.3.7 patch release-notes
https://snipeitapp.com/ product

Affected products

Snipe-IT

<8.3.7

Matching in nixpkgs

pkgs.snipe-it

Free open source IT asset/license management system

nixos-unstable 8.4.0
- nixpkgs-unstable 8.4.0
- nixos-unstable-small 8.4.0
nixos-25.11 8.3.6
- nixos-25.11-small 8.3.6
- nixpkgs-25.11-darwin 8.3.6

Package maintainers

@yayayayaka Yaya <github@uwu.is>

NixOS Unstable: https://github.com/NixOS/nixpkgs/commit/ab0b678bb6d6b564079108ff431e6fb01d1b492e
NixOS 25.11: https://github.com/NixOS/nixpkgs/pull/486331 (unmerged)

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0566

References

Affected products

Matching in nixpkgs

pkgs.snipe-it

Package maintainers