Authorization Flaw in Snipe-IT IT Asset Management System
CVE-2026-55460
7.1HIGH
What is CVE-2026-55460?
An authorization flaw exists in Snipe-IT's BulkUsersController that allows authenticated non-admin users with limited permissions to execute unauthorized actions. Specifically, these users can POST requests to /users/bulksave with a parameter to delete other non-admin users even though they are not granted permission to perform deletions. This was addressed by the release of version 8.6.2, which strengthens user permission checks.
Affected Version(s)
snipe-it < 8.6.2
