CVE-2026-55462
Received Received - Intake

Sensitive Data Exposure in Snipe-IT Asset Management

Vulnerability report for CVE-2026-55462, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show() and printInventory() authorize only user viewing before loading and rendering assigned license, accessory, and consumable relationships, allowing an authenticated user with only users.view to see inventory and cost/order metadata from modules that direct permissions would otherwise deny. This issue is fixed in version 8.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
snipe-it snipe-it 8.6.2
grokability snipe-it 8.6.2
grokability snipe-it to 8.6.1 (exc)
grokability snipe-it to 8.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55462 is an authorization bypass vulnerability in the Snipe-IT asset management system affecting versions 8.6.0 and earlier.

The issue allows an authenticated user with only the "users.view" permission to access sensitive inventory data of other users, including software license names, purchase order values, accessory and consumable names, assignment notes, and purchase costs.

This happens because the UsersController::show() and printInventory() functions do not properly enforce module-specific permissions when loading and rendering assigned license, accessory, and consumable relationships.

An attacker can exploit this by requesting a target user's detail page or print inventory page, which returns the protected data even though they lack direct access to those modules.

The vulnerability was fixed in version 8.6.2.

Impact Analysis

This vulnerability allows an authenticated user with limited permissions to view sensitive inventory and cost/order metadata that they should not have access to.

Specifically, unauthorized users can see software license details, purchase order values, accessory and consumable names, assignment notes, and purchase costs.

The impact is primarily a confidentiality breach, exposing sensitive business information.

The CVSS score is 4.3 (Moderate), indicating a moderate severity with low attack complexity and no user interaction required.

Detection Guidance

This vulnerability can be detected by attempting to access a target user's detail page or print inventory page while authenticated with only the 'users.view' permission. If the response contains sensitive inventory data such as software license names, purchase order values, accessory and consumable names, assignment notes, or purchase costs, the system is vulnerable.

A practical approach is to use HTTP request tools like curl or wget to request these pages and inspect the returned data.

  • Example curl command to test access to a user's detail page: curl -i -H "Authorization: Bearer <token>" https://<snipe-it-instance>/users/<user-id>
  • Example curl command to test access to the print inventory page: curl -i -H "Authorization: Bearer <token>" https://<snipe-it-instance>/users/<user-id>/print-inventory

If these requests return HTTP 200 responses containing sensitive inventory information despite limited permissions, the vulnerability is present.

Compliance Impact

CVE-2026-55462 allows an authenticated user with limited permissions to access sensitive inventory data that they should not be authorized to see. This unauthorized disclosure of inventory and cost/order metadata could potentially lead to exposure of sensitive business information.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, unauthorized access to sensitive data can be a compliance risk under these regulations, which require strict access controls and protection of sensitive information.

The vulnerability was fixed in version 8.6.1, and users are encouraged to upgrade to mitigate the risk of unauthorized data exposure, thereby helping maintain compliance with data protection requirements.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Snipe-IT system to version 8.6.2 or later, where the issue has been fixed.

Until the upgrade can be performed, restrict user permissions to avoid granting 'users.view' permission to users who should not have access to inventory and cost/order metadata.

Additionally, monitor and audit user access to ensure no unauthorized viewing of sensitive inventory data occurs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55462. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart