Unauthorized Request Cancellation in Snipe-IT IT Asset Management System
CVE-2026-55476

5.3MEDIUM

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55476?

Snipe-IT, a widely used IT asset and license management system, contains a vulnerability that allows authenticated users to cancel pending asset requests belonging to other users. This exploit occurs if the cancel_by_admin parameter is included in the URL path without appropriate authorization checks. Malicious actors could leverage this flaw to manipulate asset management processes, leading to unauthorized actions against pending requests. The issue has been resolved in version 8.6.0, reinforcing the need for users to update to the latest version to mitigate this risk.

Affected Version(s)

snipe-it < 8.6.0

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.