Snipe-IT Missing Object-Level Authorization, CVE-2026-55478 (MEDIUM) -DC-Jul2026-881

Listen to this Post

How CVE-2026-55478 Works

Snipe-IT is a popular open-source IT asset and license management system used by organizations to track hardware, software licenses, and accessories. The platform provides a RESTful API for programmatic interaction, including endpoints for managing predefined “kits” – bundles of items and licenses that can be assigned to users in a single operation.
The vulnerability resides in the `/api/v1/kits/{kit_id}/licenses` endpoint, which handles `POST` requests to bind a license to an existing kit. In versions prior to 8.6.2, the authorization logic performed a crucial but incomplete check: it verified that the authenticated caller had permission to edit the kit itself (via the `kit_id` parameter). However, it failed to perform any authorization check on the license object being referenced in the request payload.
This is a classic case of Missing Object-Level Authorization (CWE-639). The system trusts the user-provided license identifier without validating that the caller has the necessary permissions to view, access, or manage that specific license. A low-privileged user – one who only has `predefined-kit` permissions (i.e., the ability to create or modify kits) – can supply any valid license ID in the request, including licenses that belong to other departments, are restricted to admin-only access, or contain sensitive cost/order metadata.
The attack is remotely exploitable over the network with low attack complexity, requires no user interaction, and leverages the attacker’s existing low-privilege credentials. By binding unauthorized licenses into a kit they control, the attacker can effectively “steal” license assignments, potentially depriving legitimate users of access or gaining visibility into restricted license pools. While the vulnerability does not directly expose sensitive data in the response, the act of binding itself constitutes an integrity violation – the attacker can alter the logical relationships between kits and licenses in a way that bypasses the intended permission model.
The issue was discovered and reported through GitHub’s security advisory process, receiving a CVSSv4 base score of 5.3 (MEDIUM) with the vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vendor, grokability, addressed the flaw in version `8.6.2` by introducing proper license-level authorization checks during the bind operation. All users running versions `< 8.6.2` are affected and should upgrade immediately.

DailyCVE Form

| Field | Value |

|-|-|

| Platform | Snipe-IT |

| Version | < 8.6.2 |

| Vulnerability | Missing Object-Level Authorization |

| Severity | MEDIUM (CVSS 5.3) |

| Date | 2026-07-10 |

| Prediction | Patch expected 2026-06-13 |

What Undercode Say

Analytics & Telemetry Insights

Undercode threat intelligence indicates that this vulnerability is primarily exploitable in multi-tenant Snipe-IT deployments where license segregation is enforced via permission groups. The attack requires valid credentials, making it a post-authentication privilege escalation vector. No active in-the-wild exploits have been observed as of the disclosure date, but the exploitability is rated as easy due to the simplicity of the API call.

Bash Commands & Codes

To verify if your instance is vulnerable, check the installed version:

Check Snipe-IT version via artisan
php artisan snipeit:version
Or check the version file
cat config/version.php | grep version

To test the vulnerability using `curl` (requires a valid API token with kit-edit permissions):

Replace with your instance URL, kit_id, license_id, and API token
curl -X POST "https://snipeit.example.com/api/v1/kits/123/licenses" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{"license_id": 456}'

If the request succeeds for a license the user should not have access to, the instance is vulnerable.

Exploit

An attacker with low-privilege credentials and `predefined-kit` permissions can exploit this by:
1. Identifying a target kit they can edit (e.g., kit_id=123).
2. Identifying a restricted license they want to bind (e.g., license_id=456).
3. Sending a `POST` request to `/api/v1/kits/123/licenses` with {"license_id":456}.
4. The endpoint checks only kit edit permissions, not license access rights.
5. The license is successfully bound to the kit, allowing the attacker to influence license assignments improperly.
No public exploit code has been released, but the technical details are straightforward, making custom exploitation trivial for any knowledgeable attacker.

Protection

  • Primary Mitigation: Upgrade to Snipe-IT version 8.6.2 or later, which includes the fix (commit 0d870d540d27107634f3134e0e7f106b3faa6992).
  • If Upgrade Is Not Immediately Possible:
  • Restrict API access to trusted networks or VPNs.
  • Audit and limit which users have `predefined-kit` permissions.
  • Monitor API logs for unexpected `POST /api/v1/kits//licenses` requests.
  • Apply the vendor-supplied patch manually if backporting is feasible.
  • Long-term: Regularly review object-level authorization logic in custom API endpoints and consider using a policy-based access control (PBAC) framework.

Impact

  • Confidentiality: Low – the attacker does not directly read license data, but may infer existence and assignment patterns.
  • Integrity: Low – the attacker can alter license-to-kit bindings, potentially misallocating licenses.
  • Availability: None – the service remains operational.
  • Business Impact: Unauthorized license binding can lead to license compliance violations, audit failures, and operational confusion regarding which users/teams are end to specific software licenses. In regulated environments, this may also constitute a control failure.
    All information sourced from the official CVE record, NVD, and vendor advisory (GHSA-crv3-j83j-f3r6).

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top