CVE-2026-55476
Undergoing Analysis Undergoing Analysis - In Progress

Authenticated User Can Cancel Others' Asset Requests in Snipe-IT

Vulnerability report for CVE-2026-55476, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} accepts cancel_by_admin as a URL path segment without sufficient authorization, allowing an authenticated user to supply a victim user ID and silently cancel that user’s pending asset requests. This issue is fixed in version 8.6.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
snipeitapp snipe-it to 8.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not explicitly address how the vulnerability CVE-2026-55476 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-55476 is a vulnerability in the Snipe-IT IT asset/license management system prior to version 8.6.0. It involves the POST endpoint /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?}, which accepts the cancel_by_admin parameter without sufficient authorization checks.

This flaw allows any authenticated user, regardless of their permissions, to supply a victim user's ID and silently cancel that user's pending asset requests by setting the cancel_by_admin parameter. Essentially, non-admin users can perform actions reserved for administrators without proper permission.

The issue was fixed by adding proper authorization checks to ensure only superusers or admins can perform cancellations using the cancel_by_admin parameter.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users with valid accounts to cancel your pending asset requests without your knowledge or consent.

Such unauthorized cancellations could disrupt asset management workflows, cause confusion, and potentially lead to loss of access to necessary IT assets or licenses.

Because the cancellation is silent, victims may not be immediately aware that their requests have been canceled, which could delay important operations or asset allocations.

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests to the endpoint /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} where the cancel_by_admin parameter is supplied without proper authorization.

Specifically, detection involves identifying authenticated user sessions making POST requests with the cancel_by_admin parameter set to a truthy value and a victim user ID supplied as requestingUser, which should not be allowed for non-admin users.

Commands to detect such activity could include inspecting web server logs or using network monitoring tools to filter for suspicious POST requests to this URL pattern.

  • Use grep or similar tools on web server access logs to find POST requests containing 'cancel_by_admin' and 'requestingUser' parameters, for example: grep -i 'POST /account/request/.*cancel_by_admin' /var/log/nginx/access.log
  • Use network packet capture tools like tcpdump or Wireshark with filters for HTTP POST requests to the affected endpoint.
  • Implement application-level logging to record attempts to use the cancel_by_admin parameter and review logs for unauthorized usage.
Mitigation Strategies

The immediate mitigation step is to upgrade the Snipe-IT system to version 8.6.1 or later, where the vulnerability has been patched with proper authorization checks on the cancel_by_admin parameter.

Until the upgrade can be applied, restrict access to the affected POST endpoint to only trusted admin users if possible, and monitor for suspicious cancellation requests.

Additionally, review user permissions and session management to ensure that only authorized users have access to sensitive operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55476. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart