Snipe-IT CVE-2026-55519
LOWSeverity by source
Requires authenticated low-privilege user (PR:L); no special conditions (AC:L); arbitrary file deletion across all assets produces high integrity impact (I:H) with no confidentiality or availability effect.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an Insecure Direct Object Reference (IDOR) vulnerability caused by a class-level authorization check in the file deletion endpoint, where an instance-level check is required.
The vulnerability exists in both the web and API controllers, affecting all Snipe-IT installations running version 8.4.0 and potentially earlier versions.
Patches
Patched in https://github.com/grokability/snipe-it/commit/8bc7d50e35d93eee5a0d48b4923e497937cf93fd
AnalysisAI
Improper authorization in Snipe-IT v8.4.0 permits any authenticated user holding generic asset edit permissions to delete files attached to any asset across the entire system, bypassing both ownership and company assignment boundaries. The flaw exists in both the web and API file deletion controllers, where a class-level policy check is applied instead of the required instance-level check, constituting a classic IDOR (CWE-285). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active, authenticated Snipe-IT session where the user account holds 'update' permissions on assets - this is a generic, commonly assigned role for IT staff and help desk personnel. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector supplied in the input (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) is clearly a placeholder - it scores all impacts as None and authentication as None, which directly contradicts the description requiring an authenticated user with edit permissions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An internal Snipe-IT user - such as a help desk technician with standard asset edit rights - authenticates to the platform and identifies a file ID attached to an executive's or competitor department's asset (e.g., via sequential ID enumeration in the file deletion API endpoint). The attacker sends a DELETE request to `/api/v1/hardware/{asset_id}/files/{file_id}` substituting a target file ID on an asset they do not own; the class-level authorization check passes because the user has generic asset-edit permission, and the file is permanently deleted. … |
| Remediation | Upgrade Snipe-IT to version 8.4.1, which resolves the issue via commit 8bc7d50e35d93eee5a0d48b4923e497937cf93fd (https://github.com/grokability/snipe-it/commit/8bc7d50e35d93eee5a0d48b4923e497937cf93fd). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-x667-r589-43m7