Data Deletion Vulnerability in Snipe-IT IT Asset Management System
CVE-2026-55515

5MEDIUM

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55515?

The Snipe-IT IT asset and license management system contains a vulnerability that allows users with 'reports.view' permissions to delete pending checkout acceptance records across different companies. This occurs due to the lack of proper authorization checks on the unaccepted-assets report delete endpoint prior to version 8.6.2. As a result, a reports user can manipulate records that do not belong to their organization, leading to potential data integrity issues. The flaw has been addressed in version 8.6.2, which reinforces access controls to prevent unauthorized data manipulation.

Affected Version(s)

snipe-it < 8.6.2

References

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.