CVE-2026-55475
Received Received - Intake

Snipe-IT CSV Import Ownership Modification Vulnerability

Vulnerability report for CVE-2026-55475, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API key to overwrite the created_by value of an import file, allowing unauthorized modification of import ownership metadata. This issue is fixed in version 8.6.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
snipe-it snipe-it 8.6.1
grokability snipe-it to 8.6.1 (exc)
grokability snipe-it to 8.6.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-55475 vulnerability in Snipe-IT allows a user with CSV import capabilities and a valid API key to overwrite the created_by field of an import file via the Importer API endpoint.

This means that an attacker can modify the ownership metadata of an import file, making it appear as if they created the import even if they did not.

The issue affects versions of Snipe-IT up to and including 8.6.0 and was fixed in version 8.6.1.

Impact Analysis

This vulnerability can impact you by allowing unauthorized modification of import ownership metadata, which compromises data integrity.

An attacker with the required privileges and a valid API key can make it appear that they created import files they did not, potentially misleading audit trails and accountability.

However, confidentiality and availability of data are not affected by this vulnerability.

Detection Guidance

This vulnerability involves the Importer API endpoint in Snipe-IT allowing a user with CSV import capabilities and a valid API key to overwrite the created_by field of an import file. Detection would involve monitoring API usage for suspicious or unauthorized modification attempts to the created_by field during CSV imports.

Since the vulnerability is exploited via the Importer API endpoint, you can detect it by auditing API logs for import requests that modify ownership metadata unexpectedly.

Specific commands are not provided in the resources, but general approaches include:

  • Review API access logs for Importer API calls that include CSV import operations.
  • Check for API requests where the created_by field is set or changed during import operations.
  • Use network monitoring tools to capture and analyze API traffic to detect unauthorized changes.
Mitigation Strategies

The primary mitigation step is to upgrade Snipe-IT to version 8.6.1 or later, where this vulnerability has been fixed.

The fix ensures that the created_by field of an import file cannot be overwritten by users with CSV import capabilities, preserving the original ownership metadata.

Additional security improvements include stricter controls on authentication-related fields during import and rate limiting on TOTP requests.

  • Upgrade Snipe-IT to version 8.6.1 or higher.
  • Review and restrict API key permissions to limit CSV import capabilities to trusted users.
  • Monitor API usage for suspicious import activity.
Compliance Impact

The vulnerability allows unauthorized modification of import ownership metadata by overwriting the created_by field. This impacts data integrity but does not affect confidentiality or availability.

Since data integrity is a key aspect of compliance with standards like GDPR and HIPAA, this vulnerability could potentially lead to non-compliance if unauthorized changes to import ownership metadata are exploited, as it undermines the trustworthiness and auditability of asset management records.

However, the provided information does not explicitly mention direct impacts on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55475. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart