CVE-2026-55460
Undergoing Analysis Undergoing Analysis - In Progress

Authenticated User Privilege Escalation in Snipe-IT

Vulnerability report for CVE-2026-55460, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to /users/bulksave with delete_user=1 because BulkUsersController::destroy() authorizes only update, allowing the user to soft-delete another non-admin user. This issue is fixed in version 8.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
snipeitapp snipe-it to 8.6.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55460 is an authorization bypass vulnerability in the Snipe-IT asset management system affecting versions 8.6.1 and earlier.

An authenticated non-admin user who has permissions to view and edit users but does not have permission to delete users can exploit this flaw.

The vulnerability allows such a user to soft-delete other non-admin users by sending a specially crafted POST request to the /users/bulksave endpoint with the parameter delete_user=1.

This happens because the bulk delete endpoint only checks for update permissions instead of requiring delete permissions, which is a flaw in the authorization logic.

The attacker needs a valid CSRF token and the target user ID to perform this unauthorized soft-delete action.

This issue was fixed in version 8.6.2 of Snipe-IT.

Compliance Impact

This vulnerability allows an authenticated non-admin user to soft-delete other non-admin users without proper authorization, which constitutes unauthorized modification of user data.

Such unauthorized data modification can impact compliance with standards and regulations that require strict access controls and data integrity protections, such as GDPR and HIPAA.

Specifically, the ability to delete user accounts without proper permissions could lead to violations of data protection principles, including unauthorized processing and potential loss of user data integrity.

Impact Analysis

This vulnerability can impact you by allowing an authenticated non-admin user to soft-delete other non-admin user accounts without proper authorization.

The impact is primarily on data integrity, as unauthorized modification (soft deletion) of user accounts can occur.

There is also a limited impact on availability since user accounts can be soft-deleted, potentially disrupting user access.

The attack requires network access, low attack complexity, and low privileges but does not require user interaction.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the /users/bulksave endpoint with the parameter delete_user=1 from authenticated non-admin users who have users.view and users.edit permissions but lack users.delete permissions.

A possible detection method is to inspect web server logs or use network monitoring tools to identify such suspicious POST requests.

Example command to search web server logs for suspicious requests (assuming Apache logs):

  • grep 'POST /users/bulksave' /var/log/apache2/access.log | grep 'delete_user=1'

Additionally, monitoring application logs for bulk user operations performed by non-admin users without delete permissions can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade Snipe-IT to version 8.6.2 or later, where this vulnerability has been fixed by enforcing proper permission checks requiring explicit delete permissions for bulk user deletion.

If upgrading immediately is not possible, restrict access to the /users/bulksave endpoint to only trusted admin users or implement additional access controls to prevent non-admin users from sending POST requests with delete_user=1.

Review and audit user permissions to ensure that non-admin users do not have unintended permissions that could be exploited.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55460. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart