GHSA-p68w-rgmg-3c2v

Source

https://github.com/advisories/GHSA-p68w-rgmg-3c2v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-p68w-rgmg-3c2v/GHSA-p68w-rgmg-3c2v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p68w-rgmg-3c2v

Aliases

CVE-2026-49976

Published

2026-06-23T23:02:03Z

Modified

2026-06-23T23:15:15.490889386Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Snipe-IT Vulnerable to User Account Escalation via CSV Import

Details

Impact

The CSV user import in update mode bypasses user-edit authorization. A user with only the import permission can overwrite any non-admin user's email by uploading a CSV, then trigger a password reset to take over the account.

UserImporter.php checks the canEditAuthFields gate and tries to strip auth fields from the model:

// app/Importer/UserImporter.php:107-114
if (Auth::check() && (! Gate::allows('canEditAuthFields', $user))) {
    unset($user->username);
    unset($user->email);
    unset($user->password);
    unset($user->activated);
}
$user->update($this->sanitizeItemForUpdating($user));

The unset()s operate on the model, but sanitizeItemForUpdating() rebuilds its array from $this->item (the raw CSV row), not from the model:

// app/Importer/ItemImporter.php:135-149
protected function sanitizeItemForStoring($model, $updating = false)
{
    $item = collect($this->item);                  // CSV data, not model attributes
    $item = $item->only($model->getFillable());
    if ($updating) {
        $item = $item->reject(fn($v) => empty($v));
    }
    return $item->toArray();
}

The attacker's CSV values pass through untouched.

For non-admin attacker vs. non-admin, non-superuser target, the gate returns true at AuthServiceProvider.php:137, so the unset() block never executes. The entire import path checks only $this->authorize('import') (ImportController.php:196); no users.edit check anywhere. The normal API route PATCH /api/v1/users/{id} correctly returns 403 for the same user.

Attacker must have import privileges to exploit this, and that permission must be granted specifically and intentionally by a superadmin.

Patches

Patched in v8.6.0

Database specific

{
    "github_reviewed_at": "2026-06-23T23:02:03Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

Packagist / snipe/snipe-it

Package

Name: snipe/snipe-it
Purl: pkg:composer/snipe%2Fsnipe-it

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.0

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.2.0

v0.3.0-alpha

v0.3.7-alpha

v0.3.8-alpha

v0.3.9-alpha

v0.3.10-alpha

v0.3.11-alpha

v1.*

v1.0

v1.1

v1.2.0

v1.2.1

v1.2.2

v1.2.3-beta

v1.2.3

v1.2.4-beta

v1.2.4

v1.2.5

v1.2.6-beta

v1.2.6

v1.2.6.1

v1.2.7-beta

v1.2.7

v1.2.8

v1.2.9

v1.2.10

v1.2.11

v2.*

v2.0-beta

v2.0-RC-1

v2.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.1.0

v2.1.1

v2.1.2

v3.*

v3.0-alpha

v3.0-alpha2

v3.0-beta.1

v3.0-beta.2

v3.0-beta.3

v3.0

v3.0.0-beta

v3.1.0

v3.3.0-beta

v3.3.0

v3.4

v3.4.0-alpha

v3.4.0-beta

v3.5.0-beta

v3.5.0-beta2

v3.5.0

v3.5.1

v3.5.2

v3.6.0

v3.6.1

v3.6.2

v3.6.3

v3.6.4

v3.6.5

v3.6.6

3.*

3.2.0

Other

v4-beta3

v4-beta4

v4.*

v4.0-alpha

v4.0-alpha-2

v4.0-beta

v4.0-beta2

v4.0-beta5

v4.0-beta6

v4.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.0.9

v4.0.10

v4.0.11

v4.0.12

v4.0.13

v4.0.14

v4.0.15

v4.1.0-beta

v4.1.0-beta2

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.1.7

v4.1.8

v4.1.9

v4.1.10

v4.1.11

v4.1.12

v4.1.13

v4.1.14

v4.2.0

v4.3.0

v4.4.0

v4.4.1

v4.5.0

v4.6.0

v4.6.1

v4.6.2

v4.6.3

v4.6.4

v4.6.5

v4.6.6

v4.6.7

v4.6.8

v4.6.9

v4.6.10

v4.6.11

v4.6.12

v4.6.13

v4.6.14

v4.6.15

v4.6.16

v4.6.17

v4.6.18

v4.7.0

v4.7.1

v4.7.2

v4.7.3

v4.7.4

v4.7.5

v4.7.6

v4.7.7

v4.7.8

v4.8.0

v4.9.0

v4.9.1

v4.9.2

v4.9.3

v4.9.4

v4.9.5

v5.*

v5.0.0-beta-1.0

v5.0.0-beta-1.1

v5.0.0-beta-2

v5.0.0-beta-3.0

v5.0.0-beta-4

v5.0.0-beta-5

v5.0.0

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.0.6

v5.0.7

v5.0.8

v5.0.9

v5.0.10

v5.0.11

v5.0.12

v5.1.0

v5.1.1

v5.1.2

v5.1.3

v5.1.4

v5.1.5

v5.1.6

v5.1.7

v5.1.8

v5.2.0

v5.3.0

v5.3.1

v5.3.2

v5.3.3

v5.3.4

v5.3.5

v5.3.6

v5.3.7

v5.3.8

v5.3.9

v5.3.10

v5.4.0

v5.4.1

v5.4.2

v5.4.3

v5.4.4

v6.*

v6.0.0-RC-1

v6.0.0-RC-2

v6.0.0-RC-3

v6.0.0-RC-4

v6.0.0-RC-5

v6.0.0-RC-6

v6.0.0-RC-7

v6.0.0-RC-8

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0.7

v6.0.8

v6.0.9

v6.0.10

v6.0.11

v6.0.12

v6.0.13

v6.0.14

v6.1.0

v6.1.1

v6.1.2

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.3.4

v6.4.0

v6.4.1

v6.4.2

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.0.3

v7.0.4

v7.0.5

v7.0.6

v7.0.7

v7.0.8

v7.0.9

v7.0.10

v7.0.11

v7.0.12

v7.0.13

v7.1.14

v7.1.15

v7.1.16

v7.1.17

v8.*

v8.0.0

v8.0.1

v8.0.2

v8.0.3

v8.0.4

v8.1.0

v8.1.1

v8.1.2

v8.1.3

v8.1.4

v8.1.15

v8.1.16

v8.1.17

v8.1.18

v8.2.0

v8.2.1

v8.3.0

v8.3.1

v8.3.2

v8.3.3

v8.3.4

v8.3.5

v8.3.6

v8.3.7

v8.4.0

v8.4.1

v8.5.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-p68w-rgmg-3c2v/GHSA-p68w-rgmg-3c2v.json"