A user with only users.edit AND api permissions can send a PATCH to /api/v1/users/{theirownid} and grant themselves any permission except admin and superuser — for example assets.view, assets.create, reports.view, import, etc.
Patched in https://github.com/grokability/snipe-it/pull/19024
{
"nvd_published_at": null,
"severity": "MODERATE",
"cwe_ids": [
"CWE-863"
],
"github_reviewed_at": "2026-06-23T22:12:11Z",
"github_reviewed": true
}