Access Control Flaw in Snipe-IT Asset Management System
CVE-2026-55516

7.7HIGH

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55516?

The Snipe-IT IT asset management system has a significant access control vulnerability that was present in versions before 8.6.2. The flaw arises in the handling of PATCH or PUT requests made to the /api/v1/maintenances/{maintenance_id} endpoint. An attacker could manipulate fields such as asset_id without proper authorization checks being enforced on the newly provided asset, enabling an authorized user to potentially assign maintenance records to assets beyond their corporate scope. This issue has been addressed in version 8.6.2.

Affected Version(s)

snipe-it < 8.6.2

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.