Listen to this Post
How CVE-2026-50550 Works
Snipe-IT is an open-source IT asset management system that provides administrators with the ability to manage users, licenses, and hardware assets. As a security feature, it supports Time-based One-Time Password (TOTP) two-factor authentication (2FA) to protect user accounts. In versions prior to 8.5.0, a privilege bypass vulnerability existed within the 2FA reset functionality.
The core of the issue lies in improper access control within the user management module. In Snipe-IT, users with the ability to edit other users—a permission typically granted to administrators or users with specific granular permissions like users.edit—have access to a “reset two-factor secret” button on a user’s edit profile page. This functionality is legitimate and intended for use cases such as when a user loses their authenticator device.
However, the vulnerability arises because the application failed to perform an additional authorization check to verify if the user performing the action had the necessary privileges to reset 2FA specifically for a superadmin account. While a user might have permission to edit standard users, the system did not enforce a distinction that would prevent them from invoking the 2FA reset function on accounts with the highest level of privilege.
An attacker who is authenticated with low-level privileges, but who possesses the `users.edit` permission, can exploit this oversight. By navigating to the edit profile page of a superadmin and clicking the 2FA reset button, the attacker can clear the superadmin’s TOTP secret. This action does not require the attacker to know the superadmin’s current 2FA code or password.
Once the secret is reset, the superadmin’s two-factor authentication is effectively disabled. The next time the superadmin logs in, they will be presented with a new QR code to re-enroll their device, but this does not happen automatically. Crucially, during the period before the superadmin re-enrolls, their account is left without the protection of 2FA. This creates a significant security gap, as the superadmin account is now vulnerable to other attacks, such as password guessing or credential theft, that would have otherwise been blocked by the second factor. The vulnerability requires user interaction (UI) as the attacker must click the reset button and relies on an adjacent attack vector.
DailyCVE Form
| Field | Value |
| : | : |
| Platform | Snipe-IT |
| Version | < 8.5.0 |
| Vulnerability | 2FA Reset Privilege Bypass |
| Severity | Moderate (CVSS: 5.8) |
| Date | June 23, 2026 |
| Prediction | Patch expected already released (8.5.0) |
What Undercode Say: Analytics
This vulnerability stems from a classic missing authorization check (CWE-862). The application correctly checked that a user had the `users.edit` permission to access the user editing interface but failed to check that the target user was not a superadmin before allowing the 2FA secret to be reset. This is a subtle but critical oversight in the authorization logic.
Bash Command to Check Version:
Navigate to your Snipe-IT installation directory and check the version php artisan snipeit:version Alternatively, you can check the version in the .env file or the app/Providers/AppServiceProvider.php file for the SNIPEIT_VERSION constant.
How Exploit:
An attacker with `users.edit` permission can exploit this vulnerability by following these steps:
1. Log in to Snipe-IT with an account that has the `users.edit` permission.
2. Navigate to the People section and select Edit User for a superadmin account.
3. In the user’s profile, locate the section for Two-Factor Authentication.
4. Click the button to Reset the Two-Factor Secret.
5. The superadmin’s 2FA is now disabled, leaving their account unprotected.
Protection: from this CVE
To protect your Snipe-IT instance from this vulnerability, the following measures are recommended:
Immediate Patch: Upgrade Snipe-IT to version 8.5.0 or later, which contains the official fix for this issue.
Restrict Permissions: Until an upgrade can be performed, strictly review and limit the `users.edit` permission to only the most trusted users who absolutely require user modification capabilities.
Principle of Least Privilege: Regularly audit user permissions to ensure that no user has more privileges than necessary for their role.
Impact
The primary impact of this vulnerability is the bypass of two-factor authentication for superadmin accounts. This weakens the overall security posture of the Snipe-IT instance.
Integrity: An attacker can reset a superadmin’s 2FA, leading to a High integrity impact as they can manipulate the authentication state of a privileged account.
Confidentiality: The vulnerability has a Low confidentiality impact, as it does not directly expose data but facilitates further attacks that could.
Availability: There is No direct availability impact from this specific flaw.
By disabling 2FA on a superadmin account, an attacker creates an opportunity for a subsequent account takeover. This could be combined with other attack vectors, such as password spraying or social engineering, to gain full administrative control over the Snipe-IT instance.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
