Unauthorized Request Cancellation in Snipe-IT IT Asset Management System
CVE-2026-55476
5.3MEDIUM
What is CVE-2026-55476?
Snipe-IT, a widely used IT asset and license management system, contains a vulnerability that allows authenticated users to cancel pending asset requests belonging to other users. This exploit occurs if the cancel_by_admin parameter is included in the URL path without appropriate authorization checks. Malicious actors could leverage this flaw to manipulate asset management processes, leading to unauthorized actions against pending requests. The issue has been resolved in version 8.6.0, reinforcing the need for users to update to the latest version to mitigate this risk.
Affected Version(s)
snipe-it < 8.6.0
