CVE-2026-55478
Undergoing Analysis Undergoing Analysis - In Progress

Authorization Bypass in Snipe-IT Kit License Binding

Vulnerability report for CVE-2026-55478, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, POST /api/v1/kits/{kit_id}/licenses checks whether the caller can edit kits but does not authorize access to the referenced license object, allowing a low-privilege user with predefined-kit permissions to bind a license they should not be able to access or manage into a kit. This issue is fixed in version 8.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
snipeitapp snipe-it to 8.6.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-55478 is an object-level authorization flaw in the Snipe-IT asset management system, specifically in the Kits API endpoint POST /api/v1/kits/{kit_id}/licenses.

While the API checks if a user has permission to edit kits, it does not verify whether the user has permission to access or manage the specific license being added to a kit.

This allows a low-privilege user with only predefined-kit permissions to bind a license they should not be able to access or manage into a kit.

The issue was fixed in version 8.6.2 by adding proper authorization checks to ensure users have both kit edit and license view permissions before associating licenses with kits.

Impact Analysis

This vulnerability can allow unauthorized users with limited permissions to associate licenses with kits that they should not have access to.

Such unauthorized modifications could lead to incorrect asset or license management, potentially causing confusion, misallocation of resources, or unauthorized use of licenses.

It may also undermine the integrity of the asset management system by allowing low-privilege users to make changes beyond their intended scope.

Detection Guidance

This vulnerability involves a missing object-level authorization check in the Snipe-IT Kits API endpoint POST /api/v1/kits/{kit_id}/licenses, allowing low-privilege users to bind licenses they should not access.

To detect exploitation attempts on your system, you can monitor API calls to the endpoint POST /api/v1/kits/{kit_id}/licenses for unusual activity from users with only predefined-kit permissions.

Specifically, you can audit logs for POST requests to this endpoint where the user does not have full license management permissions but is able to add licenses to kits.

Commands to help detect this might include searching your web server or application logs for such POST requests, for example using grep or similar tools:

  • grep 'POST /api/v1/kits/' /path/to/snipe-it/logs/access.log | grep '/licenses'
  • Analyze the user roles associated with these requests to identify if low-privilege users are performing license bindings.

Additionally, you can use API monitoring or intrusion detection systems to alert on POST requests to this endpoint from users lacking proper license permissions.

Mitigation Strategies

The primary mitigation step is to upgrade your Snipe-IT installation to version 8.6.2 or later, where this vulnerability has been fixed.

The fix involves proper authorization checks ensuring that users must have both kit edit permissions and view permissions on the specific license before associating it with a kit.

If upgrading immediately is not possible, consider restricting access to the POST /api/v1/kits/{kit_id}/licenses endpoint to only trusted users with full permissions.

Review and tighten user roles and permissions to ensure that low-privilege users cannot perform license bindings.

Monitor logs for suspicious activity as a temporary measure until the patch can be applied.

Compliance Impact

The vulnerability allows a low-privilege user to associate licenses they should not have access to with predefined kits due to missing object-level authorization checks. This unauthorized access and modification could lead to improper handling of asset/license data.

Such unauthorized access and potential data exposure or modification may impact compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive data.

However, the provided information does not explicitly state the direct impact on compliance frameworks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55478. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart