URL Redirection Flaw in Snipe-IT IT Asset Management System
CVE-2026-55461

6.1MEDIUM

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55461?

Snipe-IT, an IT asset and license management system, contains a vulnerability that allows an attacker to manipulate the intended URL session value through a user-edit flow. Prior to version 8.6.2, this flow incorrectly stores the Referer header from the attacker into a Laravel session variable, enabling the potential for malicious redirection after a legitimate user submits a change. This can lead to unauthorized access or the exploitation of trust in redirection mechanisms by legitimate users.

Affected Version(s)

snipe-it < 8.6.2

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.