Access Control Flaw in Snipe-IT Asset Management System
CVE-2026-55516
7.7HIGH
What is CVE-2026-55516?
The Snipe-IT IT asset management system has a significant access control vulnerability that was present in versions before 8.6.2. The flaw arises in the handling of PATCH or PUT requests made to the /api/v1/maintenances/{maintenance_id} endpoint. An attacker could manipulate fields such as asset_id without proper authorization checks being enforced on the newly provided asset, enabling an authorized user to potentially assign maintenance records to assets beyond their corporate scope. This issue has been addressed in version 8.6.2.
Affected Version(s)
snipe-it < 8.6.2
