Skip to main content

Snipe-IT CVE-2026-55519

LOW
Improper Authorization (CWE-285)
2026-06-23 https://github.com/grokability/snipe-it GHSA-x667-r589-43m7

Severity by source

vuln.today AI
6.5 MEDIUM

Requires authenticated low-privilege user (PR:L); no special conditions (AC:L); arbitrary file deletion across all assets produces high integrity impact (I:H) with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 23:52 vuln.today
Analysis Generated
Jun 23, 2026 - 23:52 vuln.today

DescriptionCVE.org

Impact

A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an Insecure Direct Object Reference (IDOR) vulnerability caused by a class-level authorization check in the file deletion endpoint, where an instance-level check is required.

The vulnerability exists in both the web and API controllers, affecting all Snipe-IT installations running version 8.4.0 and potentially earlier versions.

Patches

Patched in https://github.com/grokability/snipe-it/commit/8bc7d50e35d93eee5a0d48b4923e497937cf93fd

AnalysisAI

Improper authorization in Snipe-IT v8.4.0 permits any authenticated user holding generic asset edit permissions to delete files attached to any asset across the entire system, bypassing both ownership and company assignment boundaries. The flaw exists in both the web and API file deletion controllers, where a class-level policy check is applied instead of the required instance-level check, constituting a classic IDOR (CWE-285). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Snipe-IT with asset-edit role
Delivery
Enumerate file IDs on target assets via API
Exploit
Craft DELETE request to file deletion endpoint with target file ID
Execution
Class-level auth check passes (no instance ownership verified)
Impact
Arbitrary asset file deleted system-wide

Vulnerability AssessmentAI

Exploitation Exploitation requires an active, authenticated Snipe-IT session where the user account holds 'update' permissions on assets - this is a generic, commonly assigned role for IT staff and help desk personnel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector supplied in the input (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) is clearly a placeholder - it scores all impacts as None and authentication as None, which directly contradicts the description requiring an authenticated user with edit permissions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An internal Snipe-IT user - such as a help desk technician with standard asset edit rights - authenticates to the platform and identifies a file ID attached to an executive's or competitor department's asset (e.g., via sequential ID enumeration in the file deletion API endpoint). The attacker sends a DELETE request to `/api/v1/hardware/{asset_id}/files/{file_id}` substituting a target file ID on an asset they do not own; the class-level authorization check passes because the user has generic asset-edit permission, and the file is permanently deleted. …
Remediation Upgrade Snipe-IT to version 8.4.1, which resolves the issue via commit 8bc7d50e35d93eee5a0d48b4923e497937cf93fd (https://github.com/grokability/snipe-it/commit/8bc7d50e35d93eee5a0d48b4923e497937cf93fd). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55519 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy