Skip to main content

Snipe-IT EUVDEUVD-2026-42994

| CVE-2026-55462 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-10 security-advisories@github.com
4.3
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible web endpoint requires only a low-privilege authenticated session (users.view role); confidentiality impact is limited to partial inventory metadata with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 21:02 EUVD
Analysis Generated
Jul 10, 2026 - 20:41 vuln.today

DescriptionCVE.org

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show() and printInventory() authorize only user viewing before loading and rendering assigned license, accessory, and consumable relationships, allowing an authenticated user with only users.view to see inventory and cost/order metadata from modules that direct permissions would otherwise deny. This issue is fixed in version 8.6.2.

AnalysisAI

Incorrect authorization in Snipe-IT's UsersController before version 8.6.2 allows any authenticated user holding only the users.view permission to access restricted inventory and procurement metadata - including assigned licenses, accessories, consumables, and associated cost and order data - from modules their direct permissions would otherwise deny. The flaw exists in both the show() and printInventory() controller methods, which enforce authorization only for the user-viewing scope before eagerly loading and rendering related asset relationships without further permission checks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or hold users.view credentials
Delivery
Authenticate to Snipe-IT web interface
Exploit
Request /users/{id} or printInventory endpoint
Execution
Controller checks only users.view gate, skips module permission checks
Persist
Application eager-loads license, accessory, consumable relationships
Impact
Read restricted cost and order metadata from rendered response

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session in Snipe-IT with at minimum the users.view permission - this is the only prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.3 Medium score with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N is an accurate representation of real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated helpdesk technician with only the users.view role navigates to another user's profile page at /users/{id} or accesses the printInventory endpoint in Snipe-IT before version 8.6.2. The controller loads and renders all assigned licenses (including license keys and seat costs), accessories, and consumables for that user without checking whether the requesting technician holds the corresponding module-level view permissions. …
Remediation Upgrade Snipe-IT to version 8.6.2 or later, which resolves the incorrect authorization in UsersController::show() and printInventory() - this is the only definitive fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-5511 HIGH POC
8.8 Oct 11

Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3. Rated high severity (CVSS 8.8),

CVE-2022-23064 HIGH POC
8.8 May 02

In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. Rated high severity (CVSS 8.8), this

CVE-2021-4130 HIGH POC
8.8 Dec 18

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2021-3858 HIGH POC
8.8 Oct 19

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2022-2997 HIGH POC
8.0 Aug 25

Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. Rated high severity (CVSS 8.0), this vulnerability

CVE-2022-1155 HIGH POC
7.4 Mar 30

Old sessions are not blocked by the login enable function. Rated high severity (CVSS 7.4), this vulnerability is remotel

CVE-2021-4075 HIGH POC
7.2 Dec 06

snipe-it is vulnerable to Server-Side Request Forgery (SSRF). Rated high severity (CVSS 7.2), this vulnerability is remo

CVE-2024-48987 MEDIUM POC
6.6 Oct 11

Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the AP

CVE-2022-1511 MEDIUM POC
6.5 Apr 28

Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4. Rated medium severity (CVSS 6.5), this vulnera

CVE-2021-4108 MEDIUM POC
6.1 Dec 14

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me

CVE-2021-3863 MEDIUM POC
6.1 Oct 19

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me

CVE-2025-65622 MEDIUM POC
5.4 Dec 01

Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user

Share

EUVD-2026-42994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy