Snipe-IT < 8.3.7 Mass Assignment Vulnerability Leading to Privilege Escalation

Advisories

severity: high
date: 3/6/2026
Affecting: Snipe-IT < 8.3.7
CVE: CVE-2025-15602
CWE: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Snipe-IT Release Notes v8.3.7
Snipe-IT Webpage
Credit: Noah Heraud, Luca D.
Description: Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo