Data Deletion Vulnerability in Snipe-IT IT Asset Management System
CVE-2026-55515
5MEDIUM
What is CVE-2026-55515?
The Snipe-IT IT asset and license management system contains a vulnerability that allows users with 'reports.view' permissions to delete pending checkout acceptance records across different companies. This occurs due to the lack of proper authorization checks on the unaccepted-assets report delete endpoint prior to version 8.6.2. As a result, a reports user can manipulate records that do not belong to their organization, leading to potential data integrity issues. The flaw has been addressed in version 8.6.2, which reinforces access controls to prevent unauthorized data manipulation.
Affected Version(s)
snipe-it < 8.6.2
