Skip to main content

Snipe-IT CVE-2026-55515

| EUVDEUVD-2026-42995 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-10 security-advisories@github.com
5.0
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
vuln.today AI
5.0 MEDIUM

PR:L confirmed by required reports.view role; S:C reflects cross-tenant record deletion; I:L only since impact is confined to deleting acceptance records with no confidentiality or availability consequences.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 21:02 EUVD
Analysis Generated
Jul 10, 2026 - 20:48 vuln.today

DescriptionCVE.org

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending()->find($acceptanceId) by global ID without checking access to the related checkoutable asset, allowing a reports user in one company to delete pending checkout acceptance records for another company. This issue is fixed in version 8.6.2.

AnalysisAI

Cross-tenant authorization bypass in Snipe-IT prior to v8.6.2 allows an authenticated user with only reports.view permission in one company to delete pending checkout acceptance records belonging to any other company by supplying arbitrary global IDs to the unaccepted-assets report delete endpoint. The root cause is a classic IDOR (CWE-639): the endpoint validates role but not company-scope ownership. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain reports.view account in any tenant
Delivery
Enumerate global CheckoutAcceptance IDs via delete endpoint
Exploit
Submit DELETE requests with cross-company IDs
Execution
Endpoint validates reports.view role only
Impact
Cross-tenant records deleted successfully

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated user account assigned the `reports.view` permission in any company on the Snipe-IT instance - this is confirmed by the CVSS vector (PR:L) and the advisory description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N = 5.0) is consistent with the vulnerability description: network-accessible, low complexity, requiring only a low-privileged `reports.view` account, with scope change reflecting cross-tenant impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a `reports.view` account in Company A iterates sequential integer IDs against the unaccepted-assets report delete endpoint, targeting CheckoutAcceptance records whose IDs fall outside their own company's range. Because the endpoint only verifies the `reports.view` role and not company membership, deletion succeeds for records owned by Company B or any other tenant on the instance. …
Remediation Upgrade to Snipe-IT v8.6.2 or later, which introduces company-scope validation on the unaccepted-assets delete endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-5511 HIGH POC
8.8 Oct 11

Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3. Rated high severity (CVSS 8.8),

CVE-2022-23064 HIGH POC
8.8 May 02

In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. Rated high severity (CVSS 8.8), this

CVE-2021-4130 HIGH POC
8.8 Dec 18

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2021-3858 HIGH POC
8.8 Oct 19

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2022-2997 HIGH POC
8.0 Aug 25

Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. Rated high severity (CVSS 8.0), this vulnerability

CVE-2022-1155 HIGH POC
7.4 Mar 30

Old sessions are not blocked by the login enable function. Rated high severity (CVSS 7.4), this vulnerability is remotel

CVE-2021-4075 HIGH POC
7.2 Dec 06

snipe-it is vulnerable to Server-Side Request Forgery (SSRF). Rated high severity (CVSS 7.2), this vulnerability is remo

CVE-2024-48987 MEDIUM POC
6.6 Oct 11

Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the AP

CVE-2022-1511 MEDIUM POC
6.5 Apr 28

Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4. Rated medium severity (CVSS 6.5), this vulnera

CVE-2021-4108 MEDIUM POC
6.1 Dec 14

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me

CVE-2021-3863 MEDIUM POC
6.1 Oct 19

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me

CVE-2025-65622 MEDIUM POC
5.4 Dec 01

Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user

Share

CVE-2026-55515 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy