Unauthorized Access Vulnerability in Snipe-IT License Management System
CVE-2026-55542

1.3LOW

Key Information:

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-55542?

Snipe-IT, an IT asset and license management system, has a vulnerability that allows authenticated users to retrieve signed S3 URLs without proper authorization before a critical authorization function is called. In versions earlier than 8.6.1, users who are aware of the signature filename can access a temporary S3 URL, providing them with unauthorized access to secure assets for a limited time. This flaw underscores the importance of stringent authorization checks in systems employing S3 for storing assets. Users are encouraged to upgrade to version 8.6.1 or later to mitigate this risk.

Affected Version(s)

snipe-it < 8.5.1

References

CVSS V4

Score:
1.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.