CVE-2026-55469
Received Received - Intake

Path Traversal in Snipe-IT via CSV Import

Vulnerability report for CVE-2026-55469, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the server process. This issue is fixed in version 8.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
grokability snipe-it to 8.6.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Snipe-IT IT asset/license management system prior to version 8.6.2. An authenticated user who has import and assets.update permissions can exploit a path traversal flaw by inserting a specially crafted path traversal string into an asset's image field during CSV import.

By doing this, the attacker can trigger the deletion of arbitrary files on the server that the application has access to, beyond just the intended asset images. This happens because the system does not properly restrict file paths, allowing deletion of files outside the designated directories.

The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and was fixed in version 8.6.2 by sanitizing file paths using the basename() function to ensure only filenames, not full paths, are processed.

Impact Analysis

This vulnerability can have a significant impact on system integrity and availability. An attacker with the required permissions can delete arbitrary files on the server, potentially removing critical system or application files.

Such unauthorized file deletions can lead to data loss, service disruption, and compromise of the asset management system's reliability.

The CVSS score of 6.5 reflects a moderate severity with high impact on integrity and availability, meaning the system could be partially or fully disrupted by exploiting this vulnerability.

Detection Guidance

This vulnerability involves an authenticated user exploiting the CSV import feature by injecting path traversal strings into asset image fields to delete arbitrary files. Detection would involve monitoring for unusual CSV import activities or suspicious file deletion events triggered by asset image updates.

Specifically, you can audit logs for CSV import actions performed by users with import and assets.update permissions and check for any file deletion operations that reference unexpected file paths.

Commands to help detect exploitation attempts might include:

  • Review application logs for CSV import events and asset image deletions.
  • Use file system monitoring tools (e.g., auditd on Linux) to track unlink or delete system calls on sensitive directories.
  • Example auditd rule to monitor file deletions in the asset image directory: auditctl -w /path/to/snipe-it/assets/images -p wa -k snipeit_image_deletion
  • Search for suspicious path traversal patterns in CSV import files or logs, such as '../' sequences.
Mitigation Strategies

The primary mitigation step is to upgrade Snipe-IT to version 8.6.2 or later, where this vulnerability has been fixed by properly sanitizing file paths to prevent path traversal.

Until the upgrade can be applied, restrict import and assets.update permissions to only trusted users to reduce the risk of exploitation.

Additionally, monitor and audit CSV import activities and file deletion operations to detect any suspicious behavior early.

Compliance Impact

The vulnerability allows an authenticated user to delete arbitrary files on the server, which can impact system integrity and availability.

Such unauthorized file deletion could lead to loss of critical data or disruption of services, potentially affecting compliance with standards like GDPR and HIPAA that require protection of data integrity and availability.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55469. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart