Snipe-IT, Authorization Bypass Through User-Controlled Key, CVE-2026-55516 (High) -DC-Jul2026-895

Listen to this Post

How CVE-2026-55516 Works

Snipe-IT is a popular open‑source IT asset and license management system used by organizations to track hardware, software, and maintenance activities. The application provides a RESTful API for programmatic interactions, including the endpoint `/api/v1/maintenances/{maintenance_id}` which allows users to update existing maintenance records via `PATCH` or `PUT` requests.
Prior to version 8.6.2, this endpoint suffered from a critical authorization flaw. When a request was sent to update a maintenance record, the application correctly performed an access control check on the current maintenance record and the asset it was associated with. This initial verification ensured that the authenticated user had the necessary permissions to modify that specific record within their company scope.
However, after this preliminary check, the application blindly accepted and processed all fields supplied in the request body, including the `asset_id` field. The critical mistake was that the system did not re‑authorize the newly provided `asset_id` before updating the database. An attacker—who is already an authenticated user with low privileges—could therefore change the `asset_id` of a maintenance record to point to any asset in the system, even one that belongs to a different company or organizational unit to which the attacker has no legitimate access.
This effectively allows a malicious insider to “re‑parent” a maintenance record onto an asset outside their authorized scope. The impact is twofold: first, it can lead to data corruption and misattribution of maintenance history; second, it can be used to cover tracks or manipulate audit trails by associating maintenance activities with assets that were never actually serviced. The vulnerability is classified under CWE‑639 (Authorization Bypass Through User‑Controlled Key) because the attacker directly controls the key (asset_id) that determines the target resource, and the system fails to enforce proper authorization after the key is changed.
The issue was discovered and reported through GitHub’s security advisory channel, and it affects all Snipe‑IT versions prior to 8.6.2. The fix, implemented in version 8.6.2, adds a secondary authorization check after the `asset_id` is updated, ensuring that the user has the appropriate permissions for the new asset before the change is committed.

DailyCVE Form:

Platform: Snipe‑IT
Version: < 8.6.2
Vulnerability: Authorization Bypass (CWE‑639)
Severity: High (CVSS 7.7)
Date: 2026‑07‑10

Prediction: Apply patch 8.6.2 immediately

What Undercode Say: Analytics

  • CVSS Vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N`
    – Attack Complexity: Low – the attacker only needs to send a crafted HTTP request.
  • Privileges Required: Low – any authenticated user can exploit this.
  • User Interaction: None – the attack can be performed without any user involvement.
  • Scope: Changed – the vulnerability allows action on resources outside the attacker’s authorized scope.
  • Integrity Impact: High – the attacker can modify maintenance records to point to arbitrary assets.
  • Exploitability: The vulnerability is trivial to exploit via a simple API call.
  • EPSS Score: 0.22% (probability of exploitation in the wild within 30 days).

Bash command to check your Snipe‑IT version:

php artisan --version

Composer command to update to the patched version:

composer require snipe/snipe-it:^8.6.2

Manual verification of the fix (commit reference):

The patch is included in commit `676a9958` (and later) – ensure your deployment includes this commit.

Exploit

An authenticated attacker can craft a `PATCH` or `PUT` request to the endpoint:

PATCH /api/v1/maintenances/{maintenance_id} HTTP/1.1
Host: snipe-it.example.com
Authorization: Bearer <valid_token>
Content-Type: application/json
{
"asset_id": 9999 // asset ID belonging to another company
}

Because the application does not re‑verify the new asset_id, the maintenance record is moved to the attacker‑chosen asset, bypassing company‑scope restrictions.

Protection

  • Immediate Upgrade: Update to Snipe‑IT version 8.6.2 or later.
  • API Access Controls: Restrict API access to trusted IP ranges or use a VPN/gateway.
  • Audit Logs: Enable detailed audit logging for all API write operations and monitor for unexpected `asset_id` changes.
  • Input Validation: Implement additional server‑side validation to ensure that the `asset_id` belongs to the same company as the authenticated user.
  • Web Application Firewall (WAF): Deploy rules to detect and block anomalous PATCH/PUT requests with suspicious `asset_id` values.

Impact

  • Data Integrity: Maintenance records can be incorrectly associated with assets outside the attacker’s scope, leading to corrupted maintenance histories and inaccurate asset tracking.
  • Audit Trail Manipulation: Attackers can cover up unauthorized maintenance activities or create false records to mislead auditors.
  • Compliance Violations: In regulated industries, inaccurate asset maintenance records can lead to compliance failures and potential fines.
  • Operational Disruption: Misattributed maintenance may cause confusion for IT staff, resulting in wasted effort and potential service downtime.
  • Lateral Movement: While this vulnerability does not directly expose sensitive data, it can be used as a stepping stone to gain further trust or cause reputational damage.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top